Hp StorageWorks Fabric OS 6.x administrator guide

HP StorageWorks Fabric OS 6.x administrator guide

Part number: 5697-7344 edition: March 2008

Legal and notice information

Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. The information is provided “as is” without warranty of any kind and is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Product names mentioned herein may be trademarks of their respective companies.

Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation.

Fabric OS 6.x administrator guide

About this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Supported Fabric OS 6.x HP StorageWorks hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Document conventions and symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Rack stability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

HP technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Customer self repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Product warranties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Subscription service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

HP websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Documentation feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

1 Standard features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Connecting to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Using Telnet or SSH session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Using a console session on the serial port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Changing passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Changing default account passwords at login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Configuring the Ethernet interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Displaying the network interface settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Setting static Ethernet addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Configuring DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Enabling DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Disabling DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Setting the date and time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Setting time zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Synchronizing local time using NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Customizing switch names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Working with Domain IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Licensed features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Generating a license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Activating a license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Removing a licensed feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Features and required licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Inter-Chassis Link (ICL) licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Time-based licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

High Availability considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Firmware upgrade and downgrade consideration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Configupload and Configdownload considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Expired licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Ports on Demand (POD) licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Activating POD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Configuring Dynamic Ports on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

How ports are assigned to licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Displaying the port license assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Activating Dynamic Ports on Demand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Disabling Dynamic Ports on Demand. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Managing POD licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Reserving a license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Releasing a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Disabling and enabling switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Fabric OS 6.x administrator guide 3

Disabling and enabling ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Making basic connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Connecting to devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Connecting to other switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Linking through a gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Checking status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Tracking and controlling switch changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Configuring the audit log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Auditable event classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Shutting down switches and Directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

High Availability of daemon processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

2 Managing user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Accessing the management channel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Using Role-Based Access Control (RBAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Role permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Managing the local database user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

About the default accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Defining local user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Recovering accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Changing local account passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Configuring the local user database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Distributing the local user database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Protecting the local user database from distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Configuring password policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Setting the password strength policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Setting the password history policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Setting the password expiration policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Upgrade and downgrade considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Setting the account lockout policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Denial of service implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Authentication model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Creating Fabric OS user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Managing Fabric OS users on the RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Windows 2000 IAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Linux FreeRadius server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

RADIUS configuration and Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Configuring the RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

LDAP configuration and Microsoft’s Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Configuring authentication servers on the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Enabling and disabling local authentication as backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Boot PROM password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Setting the boot PROM password with a recovery string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

HP StorageWorks 4/8 or 4/16, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb

SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400

Multi-protocal (MP) Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director). . . . . . . . . . . . . . 82

Setting the boot PROM password without a recovery string. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

HP StorageWorks 4/8 or 4/16, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb

SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400

Multi-protocal (MP) Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director). . . . . . . . . . . . . . 83

Recovering forgotten passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

3 Configuring standard security features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Secure protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Ensuring network security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Configuring the Telnet protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Blocking Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Unblocking Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Blocking listeners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Accessing switches and fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Port configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Configuring for the SSL protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Browser and Java support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Summary of SSL procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Choosing a CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Generating a public/private key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Generating and storing a CSR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Obtaining certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Installing a switch certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Activating a switch certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Configuring the browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Installing a root certificate to the Java plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Displaying and deleting certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Troubleshooting certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Configuring for SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Setting the security level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Using the snmpConfig command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Configuring secure file copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

4 Configuring advanced security features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

About access control list (ACL) policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

How the ACL policies are stored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Identifying policy members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Configuring ACL policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Displaying ACL policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Configuring an FCS policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

FCS policy restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Overview of steps to create and manage the FCS policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Modifying the Primary FCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Distributing an FCS policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Configuring a DCC policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

DCC policy restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Creating a DCC policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Examples of creating DCC policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Creating an SCC policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Saving changes to ACL policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Activating changes to ACL policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Adding a member to an existing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Removing a member from an ACL policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Deleting an ACL policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Aborting all uncommitted changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Configuring the authentication policy for fabric elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

E_Port authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Device authentication policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Auth policy restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Supported configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Selecting authentication protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Re-authenticating ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Managing secret key pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Fabric wide distribution of the Auth policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Accept distributions configuration parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Fabric OS 6.x administrator guide 5

IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Creating an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Cloning an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Displaying an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Saving an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Activating an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Deleting an IP Filter policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

IP Filter policy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

IP Filter policy enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Creating IP Filter policy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Deleting IP Filter policy rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Aborting a switch session transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

IP Filter policy distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

IP Filter policy restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Distributing the policy database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Configuring the database distribution settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Distributing ACL policies to other switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Setting the consistency policy fabric-wide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Notes on joining a switch to the fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Matching fabric-wide consistency policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Non-matching fabric-wide consistency policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

FIPS support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Zeroization functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Power-up self tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Conditional tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

FIPS mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Preparing the switch for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Overview of steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

5 Maintaining configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Maintaining consistent configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Displaying configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Backing up a configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Troubleshooting configuration upload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Restoring switch information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Restoring a configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Configuration download without disabling a switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Security considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Troubleshooting configuration download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Messages captured in the logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Restoring configurations in a FICON environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Downloading configurations across a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Configuration form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

6 Managing administrative domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Admin Domain features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Requirements for Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

User-defined Administrative Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

System-defined Administrative Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

AD0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

AD255 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Admin Domain access levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Admin Domains and login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Admin Domain member types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Device members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Switch port members. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Switch members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Admin Domains and switch WWN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Admin Domain compatibility and availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Admin Domains and merging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Firmware upgrade and downgrade scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Managing Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Understanding the AD transaction model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Implementing Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Creating an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Assigning a user to an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Activating and deactivating Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Adding and removing Admin Domain members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Renaming an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Deleting an Admin Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Deleting all user-defined Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Validating an Admin Domain member list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Using Admin Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Using CLI commands in an AD context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Executing a command in a different AD context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Displaying an Admin Domain configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Switching to a different Admin Domain context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Performing zone validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Admin Domain interactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Admin Domains, zones, and zone databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Admin Domains and LSAN zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Configuration upload and download in an AD context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

7 Installing and maintaining firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

About the firmware download process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Upgrading and downgrading firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Effects of firmware changes on accounts and passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Considerations for FICON CUP environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Preparing for firmware downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Checking connected switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Obtaining and decompressing firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Performing firmwareDownload on switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Overview of the firmware download process on switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch,

SAN Switch 4/32B, 400 MP Router, and firmware download . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Downloading firmware to a Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Overview of the firmware download process on directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

4/256 SAN Director and DC Director firmwareDownload procedure . . . . . . . . . . . . . . . . . . . . . . . 172

Director restrictions for downgrading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

firmwaredownload from a USB device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

FIPS Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Public and private key management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

The firmwareDownload command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Power-on firmware checksum test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Testing and restoring firmware on switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Testing and restoring firmware on directors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Validating firmwareDownload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Troubleshooting firmwareDownload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Considerations for downgrading firmware to Fabric OS 5.3.0 or earlier. . . . . . . . . . . . . . . . . . . . . . . . 184

Preinstallation messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Blade troubleshooting tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Fabric OS 6.x administrator guide 7

8 Configuring Directors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Changing a Director’s name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Identifying ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Director port numbering schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

By slot and port number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

By port area ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

By index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Basic blade management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Powering port blades off and on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Disabling and enabling port blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

FR4-18i blade exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

FC4-48 and FC8-48 blade exceptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Conserving power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Blade terminology and compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

CP blades. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Core blades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Port blade compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Setting chassis configuration options for the 4/256 Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Obtaining slot information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

9 Routing traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

About data routing and routing policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Specifying the routing policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Assigning a static route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Specifying frame order delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Using dynamic load sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Viewing routing path information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Viewing routing information along a path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

10Using the FC-FC routing service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Supported platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Supported configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Fibre Channel routing concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Proxy devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Routing types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Fibre Channel NAT and phantom domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Setting up the FC-FC routing service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Performing verification checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Assigning backbone fabric IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Configuring FCIP tunnels (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Configuring FC-FC routing to work with Secure Fabric OS (optional) . . . . . . . . . . . . . . . . . . . . . . . . 219

Configuring DH-CHAP secret. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Configuring an interfabric link. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

portCfgExport options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Configuring the FC router port cost (optional). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Using router port cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Upgrade, downgrade, and HA considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Port cost considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Setting a proxy PID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Matching fabric parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Configuring EX_Port frame trunking (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Supported configurations and platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

High Availability support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Backward compatibility support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Using EX_Port frame trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Security considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Trunking commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Configuring LSANs and zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Use of administrative domains with LSAN zones and FCR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Defining and naming zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

LSAN zones and fabric-to-fabric communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

LSAN zone binding (optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Dual backbone configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Maximum LSAN count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Configuring backbone fabrics for interconnectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

HA and downgrade considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

IPFC over FCR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Broadcast configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Monitoring resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Routing ECHO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Upgrade and downgrade considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Interoperability with legacy FCR switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Backward compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Front domain consolidation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Using front domain consolidation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Range of output ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Interoperating with an M-EOS fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

McDATA Mi10K interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Configuring the fabrics for interconnectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Connectivity modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Configuring the FC router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Configuring M-EOS for interconnection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

LSAN zoning with M-EOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Completing the configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Migrating from an MP Router to a 400 MP Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Non-redundant configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Redundant configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Dual backbone configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Devices directly connected to router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

11Administering FICON fabrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Overview of Fabric OS support for FICON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Supported switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Types of FICON configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Control Unit Port (CUP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

FICON commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

User security considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Configuring switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Preparing a switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Configuring a single switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Configuring a high-integrity fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Setting a unique Domain ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Displaying information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Link incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Registered listeners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Node identification data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

FRU failures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Swapping ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Clearing the FICON management database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Using FICON CUP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Setup summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Enabling and disabling FICON Management Server mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Setting up CUP when FICON Management Server mode is enabled . . . . . . . . . . . . . . . . . . . . . . . . 270

Displaying the fmsmode setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Displaying mode register bit settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Setting mode register bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Persistently enabling/disabling ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Fabric OS 6.x administrator guide 9

Port and switch naming standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Adding and removing FICON CUP licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Zoning and PDCM considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Zoning and link incident reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Identifying ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Backing up and restoring FICON configuration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Recording configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Sample IOCP configuration file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

12Configuring the Distributed Management Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Enabling and disabling the platform services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Controlling access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Configuring the server database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Controlling topology discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

13Working with Diagnostic Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

About Fabric OS diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Viewing power-on self test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

Viewing switch status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Viewing port information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

Viewing equipment status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Viewing the system message log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Viewing the port log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Configuring for syslogd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Configuring the host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Configuring the switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Viewing and saving diagnostic information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Setting up automatic trace dump transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

14Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

About troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Most common problem areas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Gathering information for technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Troubleshooting questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Analyzing connection problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Restoring a segmented fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Correcting zoning setup issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Recognizing MQ-WRITE errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Correcting I2C bus errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Correcting device login issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Identifying media-related issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Correcting link failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Correcting marginal links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Inaccurate information in the system message log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Tracing Fibre Channel information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Configuring ftrace for a tunnel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Displaying ftrace for a tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Recognizing port initialization and FCP auto discovery process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Using port mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Supported hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Port mirroring considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Creating, deleting, and displaying port mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

15Administering NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

About NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Enabling and disabling NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Configuring NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Configuration scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Viewing NPIV port configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Displaying login information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

16Optimizing fabric behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Introduction to adaptive networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Top Talkers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Traffic Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

TI zone failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

FSPF routing rules and Traffic Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

General rules for TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Supported configurations for Traffic Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Limitations and restrictions of Traffic Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Admin Domain considerations for Traffic Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Creating a TI zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Modifying TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Activating and deactivating a TI zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Deleting a TI zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Displaying TI zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

QoS: ingress rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

QoS: SID/DID traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

QoS zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

QoS on E_Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Supported configurations for traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

Setting traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

17Administering Advanced Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

About Advanced Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Monitoring AL_PAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Monitoring end-to-end performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Adding end-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Setting a mask for end-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Deleting end-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Monitoring filter-based performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Adding standard filter-based monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Adding custom filter-based monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Deleting filter-based monitors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Monitoring ISL performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Identifying top bandwidth users (Top Talkers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Using Top Talker monitors in port mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Using Top Talker monitors in fabric mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Limitations of Top Talker monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Monitoring trunks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Displaying monitor counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Known display problem and workaround . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Clearing monitor counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Saving and restoring monitor configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

Collecting performance data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

18Administering Extended Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Extended Fabrics licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Extended Fibre Channel over distance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Distance levels for extended Inter-Switch Links (ISLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Buffer-to-Buffer Credits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

FC switch port Buffer Credit requirements for long distance calculations . . . . . . . . . . . . . . . . . . . . . . 365

Fabric OS 6.x administrator guide 11

Determining how many ports can be configured for long distance . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Displaying the remaining buffers in a port group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Fabric considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Long distance link initialization activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Extended Fabrics device limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Configuring an extended ISL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

19Administering ISL Trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

About ISL Trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Standard trunking criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

EX_Port trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Fabric considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Initializing trunking on ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Monitoring traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Enabling and disabling ISL Trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Setting port speeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Displaying trunking information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

Trunking over Extended Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

Trunking distances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Troubleshooting trunking problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Listing link characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Recognizing buffer underallocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

20Administering Advanced Zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

About zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Zone types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Zone objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Zoning schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Zone aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Zone configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Zoning enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Software-enforced zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Hardware-enforced zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Considerations for zoning architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

Best practices for zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Broadcast zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Supported switches for broadcast zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Broadcast zones and Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Upgrade and downgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

High Availability considerations with broadcast zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Loop devices and broadcast zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Backward compatibility with pre-5.3.0 switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Broadcast zones and default zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Creating and managing zone aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Creating and maintaining zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Activating default zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Merging zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Creating and modifying zoning configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

Maintaining zone objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Managing zoning configurations in a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Adding a new switch or fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Splitting a fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Using zoning to administer security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Resolving zone conflicts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

21Configuring and monitoring FCIP extension services . . . . . . . . . . . . . . . . . . . . . . . . . 415

FCIP services licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

Platforms that support SAN extension over IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

FCIP concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Virtual ports and FCIP tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Virtual port types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

Traffic shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

QoS concepts and implementation over FCIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

Layer three DiffServ Code Points (DSCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

VLAN tagging and layer two class of service (L2CoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

When both DSCP and L2CoS are used. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

IPSec concepts and implementation over FCIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

Options for enhancing tape write I/O performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

FCIP fastwrite and tape pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Constraints for FCIP fastwrite and tape pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

FCIP fastwrite/tape pipelining configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

Unsupported configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

FICON emulation concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

XRC emulation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Tape write pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Tape read pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Device level acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

TIN/TIR emulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Read block ID emulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

FTRACE concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

FCIP services configuration guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Checklist for configuring FCIP links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Configuring IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

IPSec parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

Managing policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

Persistently disabling ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Configuring VEX ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Configuring IP interfaces and IP routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

Configuring FCIP tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

Configuring FICON emulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

Configuring FTRACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Verifying the FCIP tunnel configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Enabling persistently disabled ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

Modify and delete command options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

Modifying FCIP tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

Modifying/deleting QoS Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

FICON emulation modify operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

Deleting an fcip tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Deleting an IP interface (IPIF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Deleting an IProute. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Deleting an FTRACE configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Maintaining VLAN tag tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Troubleshooting FCIP links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

WAN performance analysis tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

About the ipperf option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

Running WAN tool sessions with an FCIP tunnel online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

FCIP port bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

WAN tool performance characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

Starting WAN tool analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

WAN tool ipPerf syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

Using portCmd ping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

Using portCmd traceroute . . . . . . . . . . . . . . . . . . . . . . . . . 451

FCIP tunnel performance characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

452

FICON performance statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

FTRACE output control and display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

FC fastwrite concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

Platforms and OS requirements for FC fastwrite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

Constraints for FC fastwrite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

Fabric OS 6.x administrator guide 13

How FC fastwrite works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

FC fastwrite flow configuration requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Hardware considerations for FC fastwrite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Configuring and enabling FC fastwrite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460

Disabling FC fastwrite on a blade or switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

Disabling FC fastwrite on a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

A Configuring the PID format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

About PIDs and PID binding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

Summary of PID formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

Impact of changing the fabric PID format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Host reboots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Static PID mapping errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Changes to configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Selecting a PID format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

Evaluating the fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

Planning the update procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

Online update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

Offline update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Hybrid update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Changing to core PID format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

Converting port number to area ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

Performing PID format changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

Basic procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

HP/UX procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

AIX procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

Swapping port area IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

B Implementing an interoperable fabric. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

Understanding Brocade and McDATA interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

Determining McDATA-aware features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

Determining McDATA-unaware features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

Supported Connectivity for Fabric 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

Feature support and interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

M-EOS 9.6.2 features supported in Fabric OS 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

Port number offset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

NPIV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

Trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

M-EOS 9.6.2 features not supported by Fabric OS 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Domain ID offset configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Diagnostic test differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Optional 6.0 licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Supported switches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Supported features McDATA Fabric mode (interopmode 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

Supported features McDATA Open Fabric mode (interopmode 3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

Unsupported features McDATA Fabric and Open Fabric modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

McDATA Fabric mode configuration restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

McDATA Open Fabric mode configuration restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Upgrade and downgrade restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Zoning restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Zone name restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

Activating zones in McDATA Fabric mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

Default zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

Safe zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Activating zone configurations on a standalone switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Activating zone configurations fabric-wide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Verifying the effective zone configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Moving to McDATA Open Fabric mode from earlier Fabric OS versions . . . . . . . . . . . . . . . . . . . . . . . . 489

Enabling McDATA Open Fabric mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489

Enabling McDATA Fabric mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490

Enabling Brocade Native mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

Enabling Fabric OS L2 SANtegrity (Fabric Binding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

FCR SANtegrity (Fabric Binding). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

Enabling FCR Fabric Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

Support for coordinated Hot Code Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

Supported configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

Upgrade and downgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

Activating Hot Code Load. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

C Understanding legacy password behavior. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Password management information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495

Password prompting behaviors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

Password migration during firmware changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497

Password recovery options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497

D Using Remote Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

About Remote Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Remote Switch capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Using Remote Switch with a gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

E Zone merging scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

Figures

1 DH-CHAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

2 Fabric with two Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

3 Filtered fabric views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

4 Fabric with AD0 and AD255 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

5 Fabric showing switch and device WWNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

6 Filtered fabric views showing converted switch WWNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

7 Isolated subfabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

8 A metaSAN with interfabric links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

9 A metaSAN with edge-to-edge and backbone fabrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

10 Edge SANs connected through a backbone fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

11 MetaSAN with imported devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

12 EFCM SAN status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

13 SAN Pilot and EFCM Zone screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

14 Adding a zone set name in SAN Pilot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

15 Non-redundant router configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

16 Configuration during the upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

17 Redundant router configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

18 Dual backbone fabric configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

19 Cascaded configuration, two switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

20 Cascaded configuration, three switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

21 Traffic isolation zone creating a dedicated path through the fabric . . . . . . . . . . . . . . . . . . . . . . . . 329

22 Dedicated path (shortest path) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

23 Dedicated path (but not the shortest path) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

24 TI zone misconfiguration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

25 QoS traffic prioritization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

26 QoS with E_Ports enabled. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

27 Setting end-to-end monitors on a port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

28 Proper placement of end-to-end performance monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

29 Mask positions for end-to-end monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

30 Distribution of traffic over ISL Trunking groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

31 Zoning example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

32 Hardware-enforced nonoverlapping zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

33 Hardware-enforced overlapping zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Fabric OS 6.x administrator guide 15

34 Zoning with hardware assist (mixed-port and WWN zones) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

35 Session-based hard zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

36 Broadcast zones and Admin Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

37 FR4-18i port numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

38 400 Multi-protocol Router port numbering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

39 Network using FCIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

40 Single tunnel, fastwrite and tape pipelining enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

41 Multiple tunnels to multiple ports, fastwrite and tape pipelining enabled on a per-tunnel/per-port basis 423

42 Unsupported configurations with fastwrite and tape pipelining . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

43 Typical network topology for FC fastwrite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

44 How FC fastwrite works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

45 4/256 SAN Director with extended edge PID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

46 Typical configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

Tables

1 Switch model naming matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2 Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3 Default administrative account names and passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4 License requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

5 AuditCfg event class operands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

6 Daemons that are automatically restarted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

7 Maximum number of simultaneous sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

8 Fabric OS 6.x roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

9 Permission types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

10 RBAC permissions matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

11 Default local user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

12 Authentication configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

13 Syntax for VSA-based account roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

14 dictionary.brocade file entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

15 Secure protocol support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

16 Items needed to deploy secure protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

17 Main security scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

18 Blocked listener applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

19 Access defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

20 SSL certificate files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

21 Commands for displaying and deleting SSL certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

22 SSL messages and actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

23 Security database size restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

24 Valid methods for specifying policy members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

25 FCS policy states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

26 Switch operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

27 Distribution policy states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

28 DCC policy states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

29 SCC policy states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

30 Supported services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

31 Implicit IP Filter rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

32 Default IP policy rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

33 Interaction between fabric-wide consistency policy and distribution settings . . . . . . . . . . . . . . . . . . . 122

34 Supported policy databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

35 ACL policy database distribution behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124

36 Fabric-wide consistency policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

37 Merging fabrics with matching fabric-wide consistency policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

38 Examples of strict fabric merges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

39 Fabric merges with tolerant/absent combinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

40 Zeroization behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

41 FIPS mode restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

42 CLI commands to display switch configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

43 Backup and restore in a FICON CUP environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

44 Configuration and connection information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

45 AD user types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

46 Ports and devices in CLI output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

47 Admin Domain interaction with Fabric OS features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

48 Configuration upload and download scenarios in an AD context. . . . . . . . . . . . . . . . . . . . . . . . . . . 163

49 Effects of firmware changes on accounts and passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

50 Recommended firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

51 Port numbering schemes for the 4/256 Director and DC Director . . . . . . . . . . . . . . . . . . . . . . . . . . 194

52 Default index/area_ID core PID assignment with no port swap . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

53 Director terminology and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

54 Port blades supported by each Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200

55 Supported configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

56 Chassis configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

57 Hardware and firmware compatibility for nonsecure fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

58 Brocade-McDATA M-EOSc interoperability compatibility matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

59 Brocade-McDATA M-EOSn interoperability compatibility matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

60 portCfgExPort -m values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

61 Fabric OS commands related to FICON and FICON CUP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

62 FICON CUP mode register bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

63 FICON configuration worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

64 Error summary description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

65 Commands for port log management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

66 Fabric OS to UNIX message severities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294

67 Common troubleshooting problems and tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

68 Types of zone discrepancies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

69 Commands for debugging zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

70 Component test descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

71 Switch component tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

72 SwitchShow output and suggested action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

73 Loopback modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

74 FTRACE configurable parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

75 Port combinations for port mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

76 Types of monitors supported on Brocade switch models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

77 Advanced performance monitoring commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

78 Commands to add filter-based monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347

79 Predefined values at offset 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

80 Port speed and distance allowed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

81 Extended ISL modes: HP StorageWorks 2Gb switches (Bloom and Bloom II ASICs) . . . . . . . . . . . . . . 371

82 Trunking support for

SAN Switch 4/32, 4/32B and 4/64 SAN Switch (Condor ASIC). . . . . . . . . . . . . . . 381

83 Trunking support for 4/256 SAN Director and DC Directors with supported blades (Condor and Condor2

ASIC)381

84 Types of zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

85 Approaches to fabric-based zoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384

86 Enforcing hardware zoning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

87 Considerations for zoning architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

88 Zoning database limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

89 Resulting database size: 0 to 96K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

90 Resulting database size: 96K to 128K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401

91 Resulting database size: 128K to 256K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402

92 Resulting database size: 256K to 1M. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .402

93 Tunnel and virtual port numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

94 Default Mapping of DSCP priorities to L2Cos Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

95 IPSec terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

96 Using FCIP fastwrite and tape pipelining. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

97 Command checklist for configuring FCIP links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

98 Fixed policy parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

99 Modifiable policy parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

100 WAN tool performance characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448

101 Effects of PID format changes on configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

102 PID format recommendations for adding new switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

Fabric OS 6.x administrator guide 17

103 McDATA-aware features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

104 McDATA-unaware features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

105 Complete feature compatibility matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

106 Supported optional features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

107 Unsupported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

108 Fabric OS Interoperability with M-EOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .483

109 Hot Code upgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494

110 Account/password characteristics matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .495

111 Password prompting matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

112 Password migration behavior during firmware upgrade/downgrade . . . . . . . . . . . . . . . . . . . . . . . 497

113 Password recovery options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497

114 Zone merging scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

About this guide

This guide provides information about:

• Installing and configuring Fabric OS 6.x

• Managing user accounts

• Using licensed features

Supported Fabric OS 6.x HP StorageWorks hardware

Table 1 lists Brocade and HP StorageWorks product models supported by Fabric OS 6.x.

Table 1 Switch model naming matrix

Brocade product name Equivalent HP StorageWorks B-Series product name

Brocade 200E switch HP StorageWorks 4/8 SAN Switch or

HP StorageWorks 4/16 SAN Switch

Brocade 3250 switch switch HP StorageWorks SAN Switch 2/8V

Brocade 3850 switch HP StorageWorks SAN Switch 2/16V

Brocade 3900 switch HP StorageWorks SAN Switch 2/32

Brocade 4100 switch HP StorageWorks SAN Switch 4/32

Brocade 4900 switch HP StorageWorks 4/64 SAN Switch

Brocade 24000 Director HP StorageWorks SAN Director 2/128

Brocade 48000 Director HP StorageWorks 4/256 SAN Director

Brocade FC4-16 Blade HP StorageWorks 16 Port 4Gb Blade

Brocade FC4-32 Blade HP StorageWorks 32 Port 4Gb Blade

FR4-18i blade

FC4-48 Blade

FC4-16IP Blade

Brocade 7500 HP StorageWorks 400 Multi-protocol (MP) Router

Brocade 4012 Brocade 4Gb SAN Switch for HP p-Class BladeSystem

Brocade 4024 Brocade 4Gb SAN Switch for HP c-Class BladeSystem

Brocade 5000 HP StorageWorks SAN Switch 4/32B

Brocade DCX Backbone HP StorageWorks DC SAN Backbone Director (short

FC10-6 Blade

FC8-16 Blade

FC8-32 Blade

B-Series Multi-protocol (MP) Router blade

HP StorageWorks 4/48 SAN Director Blade

HP StorageWorks iSCSI Director Blade (compatible with HP StorageWorks 4/256 SAN Director only)

name, DC Director)

HP StorageWorks SAN Director 6 Port 10Gb FC blade

HP StorageWorks SAN Director16 Port 8Gb FC blade

HP StorageWorks SAN Director 32 Port 8Gb FC blade

FC8-48 Blade

HP StorageWorks SAN Director 48 Port 8Gb FC blade

Fabric OS 6.x administrator guide 19

Intended audience

This guide is intended for system administrators with knowledge of:

• Storage area networks

• HP StorageWorks Fibre Channel SAN switches

Document conventions and symbols

Table 2 Document conventions

Convention Element

Blue text: Table 1 Cross-reference links and e-mail addresses

Blue, underlined text:

http://www.hp.com

Bold text

Italics text Text emphasis

Monospace text • File and directory names

Monospace, italic text • Code variables

Monospace, bold text Emphasized monospace text

WARNING! Indicates that failure to follow directions could result in bodily harm or death.

Website addresses

• Key that are pressed

• Text typed into a GUI element, such as into a box

• GUI elements that are clicked or selected, such as menu and list

items, buttons, tabs, and check boxes

• System output

• Code

• Commands, their arguments, and argument values

• Command variables

CAUTION: Indicates that failure to follow directions could result in damage to equipment or data.

IMPORTANT: Provides clarifying information or specific instructions.

NOTE: Provides additional information.

TIP: Provides helpful hints and shortcuts.

Rack stability

Rack stability protects personnel and equipment.

WARNING!

To reduce the risk of personal injury or damage to equipment:

• Extend leveling jacks to the floor.

• Ensure that the full weight of the rack rests on the leveling jacks.

• Install stabilizing feet on the rack.

• In multiple-rack installations, secure racks together.

• Extend only one rack component at a time. Racks may become unstable if more than one component is

extended.

HP technical support

For worldwide technical support information, see the HP support website:

http://www.hp.com/support/

Before contacting HP, collect the following information:

• Product model names and numbers

• Technical support registration number (if applicable)

• Product serial numbers

• Error messages

• Operating system type and revision level

• Detailed questions

Customer self repair

HP customer self repair (CSR) programs allow you to repair your StorageWorks product. If a CSR part needs replacing, HP ships the part directly to you so that you can install it at your convenience. Some parts do not qualify for CSR. Your HP-authorized service provider will determine whether a repair can be accomplished by CSR.

For more information about CSR, contact your local service provider. For North America, see the CSR website:

http://www.hp.com/go/selfrepair

Product warranties

For information about HP StorageWorks product warranties, see the warranty information website:

http://www.hp.com/go/storagewarranty

Fabric OS 6.x administrator guide 21

Subscription service

HP recommends that you register your product at the Subscriber's Choice for Business website:

http://www.hp.com/go/e-updates

After registering, you will receive e-mail notification of product enhancements, new driver versions, firmware updates, and other product resources.

HP websites

For additional product information, see the following HP websites:

• http://www.hp.com

• http://www.hp.com/go/storage

• http://www.hp.com/support/manuals

Documentation feedback

HP welcomes your feedback.

To make comments and suggestions about product documentation, please send a message to

storagedocs.feedback@hp.com. All submissions become the property of HP.

1 Standard features

This chapter describes how to configure your HP StorageWorks SAN using the Fabric OS Command Line Interface (CLI). Before you can configure a Storage Area Network (SAN), you must power-up the Director or switch and blades, and then set the IP addresses of those devices. Although this chapter focuses on configuring a SAN using the CLI, you can also use the following methods to configure a SAN:

• Web Tools

For Web Tools procedures, see the Web Tools Administrator’s Guide.

• Fabric Manager

For Fabric Manager procedures, see the Fabric Manager Administrator’s Guide.

Overview

As a result of the differences between fixed-port and variable-port devices, procedures sometimes differ among HP switch models. As new models are introduced, new features sometimes apply only to specific switches.

When procedures or parts of procedures apply to some models but not others, this guide identifies the specifics for each model. For example, a number of procedures that apply only to variable-port devices are found in ”Configuring Directors” on page 193.

Although many different software and hardware configurations are tested and supported, documenting all possible configurations and scenarios is beyond the scope of this document. In some cases, earlier releases are highlighted to present considerations for interoperating with them.

The hardware reference manuals for HP products describe how to power up devices and set their IP addresses. After the IP address is set, you can use the CLI procedures contained in this guide.

For additional information about the commands used in the procedures, see online help or the Fabric OS Command Reference.

Using the CLI

Fabric OS 6.x uses Role-Based Access Control (RBAC) to control access to all Fabric OS operations. You can display a list of all command help topics for a given login level, For example, if you are logged in as user and enter the help command, a list of all user-level commands that can be executed is displayed. The same rule applies to the admin, securityAdmin, and the switchAdmin roles.

NOTE: When command examples in this guide show user input enclosed in quotation marks, the

quotation marks are required.

You can enter th e help [| more] (pipe more) command with no specific command and all commands display. The | more argument displays the command one page at a time. Or, you can enter help <command>, where command is the name of the command for which you need specific information.

Fabric OS 6.x administrator guide 23

The following commands provide help files for specific topics to understand configuring your SAN:

diagHelp Diagnostic help information ficonHelp FICON help information fwHelp Fabric Watch help information iscsiHelp iSCSI help informations licenseHelp License help information perfHelp Performance Monitoring help information routeHelp Routing help information trackChangesHelp Track Changes help information zoneHelp Zoning help information

Connecting to the CLI

Read this section for procedures.

Using Telnet or SSH session

Connect to the Fabric OS through a Telnet or SSH connection or through a console session on the serial port. The switch must also be physically connected to the network. If the switch network interface is not configured or the switch has been disconnected from the network, use a console session on the serial port as described in the next section.

NOTE: To automatically configure the network interface on a DHCP-enabled switch, plug the switch into

the network and power it on. The DHCP client automatically gets the IP and gateway addresses from the DHCP server. The DHCP server must be on the same subnet as the switch. See ”Configuring DHCP” on page 29 for more details.

Rules for Telnet connections:

• Never change the IP address of the switch while two Telnet sessions are active; if you do, your next

attempt to log in fails. To recover, gain access to the switch by one of these methods:

• You can use Web Tools to perform a fast boot. When the switch comes up, the Telnet quota is cleared. (For instructions on performing a fast boot with Web Tools, see the Web Tools Administrator’s Guide.)

• If you have the required privileges, you can connect through the serial port, log in as root, and use operating system commands to identify and kill the Telnet processes without disrupting the fabric.

• For admin level accounts, Fabric OS limits the number of simultaneous Telnet sessions per switch to two.

For more details on session limits, see ”Configuring the Telnet protocol” on page 87 and ”Managing

user accounts” on page 55.

To connect using Telnet:

1. Verify that the switch’s network interface is configured and that it is connected to the IP network through

the RJ-45 Ethernet port. Switches in the fabric that are not connected through the Ethernet can be managed through switches

that are using IP over Fibre Channel. The embedded port must have an assigned IP address.

2. Open a Telnet connection using the IP address of the logical switch to which you want to connect.

Enter the account ID at the login prompt. See ”Changing passwords” on page 25 for instructions on how to log in for the first time.

3. Enter the password.

If you have not changed the system passwords from the default, you are prompted to change them. Enter the new system passwords, or press Ctrl-C to skip the password prompts. See ”Changing default

account passwords at login” on page 26.

24 Standard features

4. Verify that the login was successful.

The prompt displays the switch name and user ID to which you are connected.

Using a console session on the serial port

Note the following behaviors for serial connections:

• Some procedures require that you connect through the serial port; for example, setting the IP address or

setting the boot PROM password.

• If you are using a Fabric OS version prior to 6.x, and secure mode is enabled, connect through the

serial port of the primary FCS switch.

• 4/256 SAN Director and DC Director: You can connect to CP0 or CP1 using either of the two

serial ports.

To connect through the serial port:

1. Connect the serial cable to the serial port on the switch and to an RS-232 serial port on the workstation.

If the serial port on the workstation is RJ-45 instead of RS-232, remove the adapter on the end of the serial cable and insert the exposed RJ-45 connector into the RJ-45 serial port on the workstation.

2. Open a terminal emulator application (such as HyperTerminal on a PC, or TERM, TIP, or Kermit in a

UNIX environment), and configure the application as follows:

• In a Windows environment:

Parameter Value

Bits per second 9600

Databits 8

Parity None

Stop bits 1

Flow control None

• In a UNIX environment, enter the following string at the prompt:

tip /dev/ttyb -9600

If ttyb is already in use, use ttya instead and enter the following string at the prompt: tip /dev/ttya -9600

Changing passwords

The switch automatically prompts you to change the default account passwords after logging in for the first time. If you do not change the passwords, the switch prompts you after each subsequent login until all the default passwords have been changed.

NOTE: The default account passwords can be changed from their original value only when prompted

immediately following the login; the passwords cannot be changed using the passwd command later in the session. If you skip the prompt, and then later decide to change the passwords, log out and then back in.

The default accounts on the switch are admin, user, root, and factory. Use the default administrative account as shown in Table 3 to log into the switch for the first time and to perform the basic configuration tasks.

Fabric OS 6.x administrator guide 25

Every logical switch (domain) has a set of default accounts. The root and factory default accounts are reserved for development and manufacturing. The user account is primarily used for system monitoring. For more information on default accounts, see ”About the default accounts” on page 59.

Table 3 describes the default administrative accounts for switches by model number.

Table 3 Default administrative account names and passwords

Model Administrative

account

HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocol Router

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director)

admin password

Changing default account passwords at login

The change default account passwords prompt accepts a maximum of eight characters. Any characters beyond the eighth character are ignored. Only the default password is subject to the eight character limit. User-defined passwords can have 8 to 40 characters. They must begin with an alphabetic character and can include numeric characters, the period (.), and the underscore ( _ ). They are case-sensitive, and they are not displayed when you enter them on the command line.

Record the passwords exactly as entered and store them in a secure place because recovering passwords requires significant effort and fabric downtime. Although the root and factory accounts are not meant for general use, change their passwords if prompted to do so and save the passwords in case they are needed for recovery purposes.

To change the default account passwords at login:

1. Connect to the switch and log in using the default administrative account.

2. At each of the “Enter new password” prompts, either enter a new password or skip the prompt.

To skip a single prompt press Enter. To skip all of the remaining prompts press Ctrl-c.

login: admin Password: Please change your passwords now. Use Control-C to exit or press 'Enter' key to proceed. for user - root Changing password for root Enter new password: ******** Password changed. Saving password to stable storage. Password saved to stable storage successfully. Please change your passwords now. for user - factory Changing password for factory Enter new password: ******** Password changed. Saving password to stable storage. Password saved to stable storage successfully. Please change your passwords now. for user - admin Changing password for admin Enter new password: ******** Password changed. Saving password to stable storage. Password saved to stable storage successfully. Please change your passwords now. for user - user Changing password for user Enter new password: ********

Password

26 Standard features

Password changed. Saving password to stable storage. Password saved to stable storage successfully. switch:admin>

Configuring the Ethernet interface

You can use Dynamic Host Configuration Protocol (DHCP) for the Ethernet network interface configuration. The Ethernet (network) interface provides management access, including direct access to the Fabric OS CLI, and allows other tools, such as Web Tools, to interact with the switch.

You can continue to use a static Ethernet addressing system or allow the DHCP client to automatically acquire Ethernet addresses. Configure the Ethernet interface IP, subnet mask, and gateway addresses in one of the following manners:

• ”Setting static Ethernet addresses” on page 28

• ”Configuring DHCP” on page 29

When you change the Ethernet interface settings, open connections such as SSH or Telnet may be dropped. Reconnect using the new Ethernet IP information or change the Ethernet settings using a console session through the serial port to maintain your session through the change. You must connect through the serial port to set the Ethernet IP address if the Ethernet network interface is not configured already.

Displaying the network interface settings

If an IP address has not been assigned to the network interface (Ethernet), you must connect to the Fabric OS CLI using a console session on the serial port. For more information, see ”Using a console session on

the serial port” on page 25. Otherwise, connect using SSH.

To display the network interface settings:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the ipAddrShow command.

SWITCH Ethernet IP Address: 102.108.153.238 Ethernet Subnetmask: 255.255.255.0 Fibre Channel IP Address: none Fibre Channel Subnetmask: 255.255.0.0 Gateway IP Address: 102.108.153.1 DHCP: Off IPv6 Autoconfiguration Enabled: No Local IPv6 Addresses: static 1080::9:800:400c:416a/64

If the Ethernet IP address, subnet mask, and gateway address are displayed, then the network interface is configured. Verify that the information is correct. If DHCP is enabled, the network interface information was acquired from the DHCP server.

NOTE: You can use either IPv4 or IPv6 with a classless inter-domain routing (CIDR) block notation to set

up your IP addresses.

Fabric OS 6.x administrator guide 27

Setting static Ethernet addresses

Use static Ethernet network interface addresses on HP StorageWorks 2/128, 4/256 SAN Director, DC Director models, and in environments where DHCP service is not available. To use static addresses for the Ethernet interface, you must first disable DHCP. You may enter static Ethernet information and disable DHCP at the same time. Refer to ”Configuring DHCP” on page 29 for more information.

If you choose not to use DHCP or to specify an IP address for your switch Ethernet interface, you can do so by entering none or 0.0.0.0 in the Ethernet IP address field.

IMPORTANT: IP address 0.0.0.0 is not supported in Fabric OS versions earlier than 5.2.0.

To set static addresses for the Ethernet network interface:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the following command to set the IPv4 address:

switch:admin> ipaddrset Ethernet IP Address [192.168.74.102]: Ethernet Subnetmask [255.255.255.0]: Fibre Channel IP Address [220.220.220.2]: Fibre Channel Subnetmask [255.255.0.0]: Gateway IP Address [192.168.74.1]: DHCP [OFF]: off

or to set an IPv6 address on a switch:

switch:admin> ipaddrset -ipv6 --add 1080::8:800:200C:417A/64 IP address is being changed...Done.

Example of setting logical switch (sw0)'s IPv6 address on a Director:

director:admin> ipaddrset -ipv6 -sw 0 --add 1080::8:800:200C:417B/64 IP address is being changed...Done.

Enter the network information in dotted decimal notation for the Ethernet IPv4 address and in semicolon separated notation for IPv6. Enter the Ethernet Subnetmask and Gateway Address at the prompts. Skip Fibre Channel prompts by pressing Enter. Disable DHCP by entering OFF.

On an AP blade, configure the two external Ethernet interfaces to two different subnets, or if two subnets are not present, configure one of the interfaces and leave the other unconfigured. Otherwise the following message will show up and also blade status may go into a faulty state after a reboot.

Neighbor table overflow. print: 54 messages suppressed

28 Standard features

Configuring DHCP

By default, some HP switches have DHCP enabled; check the latest Fabric OS 6.x release notes for a complete list of switches. The 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) do not support DHCP.

The Fabric OS DHCP client supports the following parameters:

• External Ethernet port IP addresses and subnet masks

• Default gateway IP address

The DHCP client uses a DHCP vendor class identifier that allows DHCP servers to determine that the Discovers and Requests are coming from a switch. The vendor class identifier is the string “BROCADE” followed by the SWBD model number of the platform. For example, the vendor class identifier for a request from an HP StorageWorks DC Director is “BROCADESWBD62.”

IMPORTANT: The client conforms to the latest IETF Draft Standard RFCs for IPv4, IPv6, and DHCP.

Enabling DHCP

Connect the DHCP-enabled switch to the network, power on the switch, and the switch automatically obtains the Ethernet IP address, Ethernet subnet mask, and default gateway address from the DHCP server. The DHCP client can only connect to a DHCP server on the same subnet as the switch. Do not enable DHCP if the DHCP server is not on the same subnet as the switch.

Enabling DHCP after the Ethernet information has been configured releases the current Ethernet network interface settings, including Ethernet IP, Ethernet Subnetmask, and Gateway. The Fibre Channel (FC) IP address and subnet mask is static and is not affected by DHCP; see ”Setting static Ethernet addresses” on page 28 for instructions on setting the FC IP address.

To enable DHCP:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the ipaddrset command.

3. If already set up, skip the Ethernet IP address, Ethernet subnet mask, Fibre Channel IP address and

subnet mask prompts by pressing Enter.

4. When you are prompted for DHCP[Off], enable it by entering at the prompt:

Disabling DHCP

When you disable DHCP, enter the static Ethernet IP address and subnet mask of the switch and default gateway address. Otherwise, the Ethernet settings may conflict with other addresses assigned by the DHCP server on the network.

To disable DHCP:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the ipaddrset command.

3. Enter the network information in dotted decimal notation for the Ethernet IP address, Ethernet

Subnetmask, and Gateway Address at the prompts. If a static Ethernet address is not available when you disable DHCP, enter 0.0.0.0 at the Ethernet IP address prompt. Skip Fibre Channel prompts by pressing Enter.

Fabric OS 6.x administrator guide 29

4. When you are prompted for DHCP[On], disable it by entering off.

Setting the date and time

Switches maintain the current date and time inside a battery-backed real-time clock (RTC) circuit. Date and time are used for logging events. Switch operation does not depend on the date and time; a switch with an incorrect date and time value still functions properly. However, because the date and time are used for logging, error detection, and troubleshooting, you should set them correctly.

Authorization access to set or change the date and time for a switch is role-based. For an understanding of role-based access, refer to ”Using Role-Based Access Control (RBAC)” on page 56.

IMPORTANT: If you are running a Fabric OS version earlier than 6.x and secure mode is not enabled, a

change in date or time to one switch is forwarded to the principal switch and distributed to the fabric. If secure mode is enabled, date or time changes can be made only on the primary FCS switch and distributed to the fabric.

To set the date and time:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the date command, using the following syntax:

date "mmddHHMMyy"

The values represent the following:

• mm is the month; valid values are 01 through 12.

• dd is the date; valid values are 01 through 31.

• HH is the hour; valid values are 00 through 23.

• MM is minutes; valid values are 00 through 59.

• yy is the year; valid values are 00 through 99 (values greater than 69 are interpreted as 1970 through 1999, and values less than 70 are interpreted as 2000-2069).

switch:admin> date Fri Sep 29 17:01:48 UTC 2007 switch:admin> date "0927123007" Thu Sep 27 12:30:00 UTC 2007 switch:admin>

For details about how to change time zones, see the tsTimeZone command in the Fabric OS Command Reference.

Setting time zones

You can set the time zone for a switch by name. You can specify the setting using country and city or time zone parameters. Switch operation does not depend on a date and time setting. However, having an accurate time setting is needed for accurate logging and audit tracking.

If the time zone is not set with the new options, the switch retains the offset time zone settings. The

TSTIMEZONE command includes an option to revert to the prior time zone format. For more information

about the

30 Standard features

--old option, see the Fabric OS Command Reference.

IMPORTANT: If you are downgrading to a Fabric OS version earlier than 6.x, or retaining the offset

format, see prior versions of the Fabric OS Administrator’s Guide for detailed information about setting time zones using the offset format. See ”About the firmware download process” on page 163 for time zone downgrading considerations.

You can set the time zone for a switch using the tsTimeZone command. The tsTimeZone command allows you to perform the following tasks:

• Display all of the time zones supported in the firmware

• Set the time zone based on a country and city combination or based on a time zone ID such as PST

The time zone setting has the following characteristics:

• Users can view the time zone settings. However, only those with administrative permissions can set the

time zones.

• The tsTimeZone setting automatically adjusts for Daylight Savings Time.

• Changing the time zone on a switch updates the local time zone setup and is reflected in local time

calculations.

• By default, all switches are in the GMT time zone (0,0). If all switches in a fabric are in one time zone,

it is possible for you to keep the time zone setup at the default setting.

• System services that have already started will reflect the time zone changes only after the next reboot.

• Time zone settings persist across failover for High Availability.

Setting the time zone on a dual domain Director has the following characteristics:

• Updating the time zone on any switch updates the entire Director.

• The time zone of the entire Director is the time zone of switch 0.

The following procedure describes how to set the time zone for a switch. You must perform the procedure on all switches for which the time zone must be set. However, you only need to set the time zone once on each switch, because the value is written to nonvolatile memory.

To set the time zone:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the tsTimeZone command as follows:

switch:admin> tstimezone [--interactive]/ [, timezone_fmt]

•Use tsTimeZone with no parameters to display the current time zone setting

•Use

--interactive to list all of the time zones supported by the firmware.

•Use timezone_fmt to set the time zone by Country/City or by time zone ID, such as PST.

The following example shows how to display the current time zone setup and how to change the time zone to US/Central.

switch:admin> tstimezone Time Zone : US/Pacific switch:admin> tstimezone US/Central switch:admin> tstimezone Time Zone : US/Central

Fabric OS 6.x administrator guide 31

The following procedure describes how to set the current time zone using interactive mode to Pacific Standard Time.

To set the time zone interactively:

1. Type th e tsTimeZone command as follows:

switch:admin> tstimezone --interactive

2. You are prompted to select a general location.

Please identify a location so that time zone rules can be set correctly.

3. Enter the appropriate number or Ctrl-D to quit.

4. At the prompt, select a country location.

5. At the prompt, enter the appropriate number to specify the time zone region or Ctrl-D to quit.

Synchronizing local time using NTP

You can synchronize the local time of the principal or primary fabric configuration server (FCS) switch to a maximum of eight external network time protocol (NTP) servers. To keep the time in your SAN current, it is recommended that the principal or primary-FCS switch has its time synchronized with at least one external NTP server. The other switches in the fabric will automatically take their time from the principal or primary-FCS switch.

All switches in the fabric maintain the current clock server value in non-volatile memory. By default, this value is the local clock server <LOCL> of the principal or primary FCS switch. Changes to the clock server value on the principal or primary FCS switch are propagated to all switches in the fabric.

When a new switch enters the fabric, the time server daemon of the principal or primary FCS switch sends out the addresses of all existing clock servers and the time to the new switch. If a switch with Fabric OS

5.3.0 or later has entered the fabric it will be able to store the list and the active servers; pre-5.3.0 Fabric OS switches will ignore the new list parameter in the payload and will update only the active server address.

If the active NTP server configured is IPv6, then distributing the same in the fabric will not be possible to switches earlier than Fabric OS 5.3.0 because IPv6 is supported for Fabric OS version 5.3.0 and later. The default value LOCL will be distributed to pre-5.3.0 switches.

To synchronize local time with an external source:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the tsClockServer command:

switch:admin> tsclockserver "<ntp1;ntp2>"

where ntp1 is the IP address or DNS name of the first NTP server, which the switch must be able to access. The second ntp2 is the second NTP server and is optional. The operand “<ntp1;ntp2>” is optional; by default, this value is LOCL, which uses the local clock of the principal or primary switch as the clock server.

The tsClockServer command accepts multiple server addresses in either IPv4, IPv6, or DNS name formats. When multiple NTP server addresses are passed, tsClockServer sets the first obtainable address as the active NTP server. The rest will be stored as backup servers that can take over if the active NTP server fails. The principal or primary FCS switch synchronizes its time with the NTP server every 64 seconds.

switch:admin> tsclockserver LOCL switch:admin> tsclockserver "132.163.135.131"

switch:admin> tsclockserver

132.163.135.131 switch:admin>

32 Standard features

The following example shows how to set up more than one NTP server using a DNS name:

switch:admin> tsclockserver "10.32.170.1;10.32.170.2;ntp.localdomain.net" Updating Clock Server configuration...done. Updated with the NTP servers

Changes to the clock server value on the principal or primary FCS switch are propagated to all switches in the fabric.

Customizing switch names

Switches can be identified by IP address, Domain ID, World Wide Name (WWN), or by customized switch names that are unique and meaningful.

Switch names can be from 1 to 15 characters long, must begin with a letter, and can contain letters, numbers, or the underscore character. It is not necessary to use quotation marks.

NOTE: Changing the switch name causes a domain address format RSCN (registered state change

notification) to be issued and may be disruptive to the fabric.

To customize the switch name:

1. Open a Telnet session for each logical switch and enter the switchName command.

2. Connect to the switch and log in using an admin account.

3. Enter the switchName command, using the following syntax:

switchname "newname"

where newname is the new name for the switch.

4. Record the new switch name for future reference.

5. Record the new switch name for the second domain for future reference.

Working with Domain IDs

Although Domain IDs are assigned dynamically when a switch is enabled, you can reset them manually so that you can control the ID number or resolve a Domain ID conflict when you merge fabrics.

If a switch has a Domain ID when it is enabled, and that Domain ID conflicts with a switch in the fabric, the conflict is automatically resolved. The process can take several seconds, during which time traffic is delayed.

The default Domain ID for HP switches is 1.

NOTE: Do not use Domain ID 0. The use of this Domain ID can cause the switch to reboot continuously.

Avoid changing the Domain ID on the FCS in secure mode. To minimize down time, change the Domain IDs on the other switches in the fabric.

To display Domain IDs:

1. Connect to a switch and log in as admin.

2. Enter the fabricShow command.

Fabric information is displayed, including the Domain ID (D_ID)

switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name

------------------------------------------------------------------------64: fffc40 10:00:00:60:69:00:06:56 192.168.64.59 192.168.65.59 "sw5" 65: fffc41 10:00:00:60:69:00:02:0b 192.168.64.180 192.168.65.180 >"sw180" 66: fffc42 10:00:00:60:69:00:05:91 192.168.64.60 192.168.65.60 "sw60" 67: fffc43 10:00:00:60:69:10:60:1f 192.168.64.187 0.0.0.0 "sw187"

Fabric OS 6.x administrator guide 33

The Fabric has 4 switches

The fields in the fabricShow display are:

Switch ID — The switch Domain_ID and embedded port D_ID Worldwide Name — The switch WWN Enet IP Addr — The switch Ethernet IP address for IPv4 and IPv6 configured switches. For IPv6

switches, only the static IP address displays

FC IP Addr —The switch FC IP address Name —The switch symbolic name. An arrow (>) indicates the principal switch.

To set the Domain ID:

1. Connect to the switch and log in using an admin account.

2. Enter the switchDisable command to disable the switch.

3. Enter the configure command.

4. Enter y after the Fabric

Fabric parameters (yes, y, no, n): [no] y

5. Enter a unique Domain ID at the Domain prompt. Use a Domain ID value from 1 through 239 for

normal operating mode (FCSW compatible):

Domain: (1..239) [1] 3

6. Respond to the remaining prompts, or press Ctrl-D to accept the other settings and exit.

7. Enter the switchEnable command to re-enable the switch.

parameters prompt:

Licensed features

You need the following items for each feature that needs to be licensed:

• Transaction key in the paperpack document supplied with the switch software. Or, when you purchased

a license, you received a transaction key to use for generating a software license key.

• License ID. To see a switch license ID, issue the licenseIdShow command.

Feature licenses may be part of the licensed paperpack supplied with your switch software; if not, you can purchase licenses separately from HP. License keys are provided on a per-product and per-feature basis. Each switch within a fabric will need its own licensing.

NOTE: To preserve licenses on your switch, perform a configupload prior to upgrading or

downgrading your Fabric OS.

If you downgrade your Fabric OS to the version earlier than 6.x, some licenses associated with specific features of Fabric OS 6.x may not work.

Licenses can be associated with a feature version or a blade type.

• If a feature has a version-based license, that license is valid only for a particular version of the feature.

If you want a newer version of the feature, you must purchase a new license. Version upgrade: For example, a zoning license that is for Fabric OS version 6.x is added. You can

add another zoning license with a version greater than 5.2.0 and above without removing the zoning license for Fabric OS 5.2.0. Upgrading is allowed, but downgrading is not supported.

If a license is not version-based, then it is valid for all versions of the feature.

• If a license is associated with a blade type, the licensed feature can be used only with the associated

blade; if you want to use the feature on a second blade, you must purchase an additional license.

34 Standard features

Generating a license key

To generate a license key:

1. If you already have a license key, go to ”Activating a license key” on page 35 to activate.

If you do not have a license key, launch an Internet browser and go to:

http://webkey.external.hp.com/welcome.asp

The Hewlett-Packard Authorization Center website main menu displays.

2. Click Generate a license key.

The HP StorageWorks Software License Key instruction page opens:h

3. Enter the information in the required fields.

4. Follow the onscreen instructions to generate multiple license keys if applicable.

5. Click Next. A verification screen appears.

Verify that the information is correct. Click Submit if the information displayed is correct. If the information is incorrect, click Previous and change the information.

6. Click Submit.

7. An information screen displays the license keys. You also receive an e-mail from the HP licensing

company.

8. Activate the license keys. Go to ”Activating a license key” on page 35.

Activating a license key

To activate and verify the license:

1. Connect to the switch and log in using an admin account.

2. Activate the license using the licenseAdd command.

switch:admin> licenseadd "key"

The transaction key is case sensitive, so it must be entered exactly as it appears. To lessen the chance of error, copy and paste the transaction key. The quotation marks are optional.

For 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) models, licenses are effective on both CP blades, but are valid only when the CP blade is inserted into a Director that has an appropriate license ID stored in the WWN card. If a CP is moved from one Director to another, the license works in the new Director only if the WWN card is the same in the new Director. Otherwise, you must transfer licenses from the old WWN to the new WWN.

For example, if you swap one CP blade at a time, or replace a single CP blade, then the existing CP blade (the active CP blade) propagates the licenses to the new CP blade.

If you move a standby CP from one Director to another, then the active CP will propagate its configuration (including license keys).

Fabric OS 6.x administrator guide 35

3. Verify that the license was added by entering the licenseShow command. The licensed features

currently installed on the switch display. If the feature is not listed, enter the licenseAdd command again.

Some features may require additional configuration, or you may need to disable and reenable the switch to make them operational; see the feature documentation for details.

switch:admin> licenseshow RzdeSee9wVlfTu: Web license Zoning license SES license Fabric license Remote Switch license Extended Fabric license Fabric Watch license Performance Monitor license Trunking license Security license 4 Domain Fabric license FICON_CUP license N_Port ID Virtualization license

High-Performance Extension over FCIP/FC license Ports on Demand license - additional 16 port upgrade 2 Domain Fabric license

Ports on Demand license - additional 16 port upgrade

Removing a licensed feature

1. Connect to the switch and log in using an admin account.

2. Enter the licenseShow command to display the active licenses.

3. Remove the license key using the licenseRemove command.

switch:admin> licenseremove "key" The license key is case-sensitive and must be entered exactly as given. The quotation marks

are optional. After removing a license key, the optionally licensed feature is disabled when the switch is rebooted or when a switch disable and enable is performed.

4. Enter the licenseShow command to verify that the license is disabled.

switch:admin> licenseshow bQebzbRdScRfc0iK: Web license Zoning license switch:admin> licenseremove "bQebzbRdScRfc0iK" removing license key "bQebzbRdScRfc0iK" switch:admin>

After a reboot (or switchDisable and switchEnable), only the remaining licenses appear:

switch:admin> licenseshow SybbzQQ9edTzcc0X: Fabric license switch:admin>

If there are no license keys, licenseShow displays “No licenses.”

36 Standard features

Features and required licenses

Table 4 lists the licenses that should be installed on the local switch and any connecting switches for a

particular feature.

Table 4 License requirements

Feature License Where license should be

installed

Administrative Domains

Configuration up/download

Diagnostic tools No license required. n/a

Distributed Management Server

EX_Ports Integrated Routing Local and attached switches.

FC Fastwrite FC-IP Services or

FCIP FC-IP Services or

FICON No license required. n/a

FICON-CUP FICON Management Server Local switch.

FIPS No license required. n/a

Firmware download No license required.

No license required. n/a

No license required. Configupload or configdownload is

a command and comes with the OS on the switch.

No license required. n/a

High Performance Extension over FCIP/FC

Firmwaredownload is a command and comes with the OS on the switch.

n/a

Local and attached switches.

Local and attached switches. License is needed on both sides of tunnel.

n/a

Full fabric Full Fabric Local switch. May be required on

attached switches.

Ingress rate limiting Adaptive Networking Local switch and attached

switches.

Integrated routing Integrated Routing Local and attached switches.

Inter-chassis link (ICL) ICL Local and attached ICLs.

Interoperability No license required. n/a

IPSec for FCIP tunnels FC-IP Services or

High Performance Extension over FCIP/FC

LDAP No license required. n/a

Long distance Extended Fabrics Local and attached switches.

NPIV No license required. n/a

Per formance monitoring

Port fencing Fabric Watch Local switch

Basic features - no Advanced features - yes: Advance

Performance Monitoring.

Local and attached switches. License is needed on both sides of tunnel.

License is needed on both sides of connection.

Local switch

Fabric OS 6.x administrator guide 37

Table 4 License requirements

Feature License Where license should be

installed

Ports Ports on demand licenses. This license

applies to a select set of switches.

QoS Adaptive Networking Local switch and attached

RADIUS No license required. n/a

RBAC No license required. n/a

Routing traffic No license required.

This includes port-based or exchanged-based routing, static routes, frame-order deliver, and dynamic routes.

Security No license required.

Includes the DCC, SCC, FCS, IP Filter, and authentication policies.

SNMP No license required. n/a

SSH public key No license required. n/a

Top Talkers Advanced Performance Monitoring Local switch and attached

Traffic Isolation No license required. n/a

Trunking ISL Trunking or

ISL Trunking Over Extended Fabrics

Local switch

switches.

n/a

switches.

Local and attached switches.

Two -factor authentication

Two-to-four domains in a fabric

USB usage No license required. n/a

Web Tools No license required. Local and any switch you want to

Zoning No license required. Local and attached switches; or

No license required. n/a

Value Line (Two/Four) Local switch. May be required on

Inter-Chassis Link (ICL) licensing

ICL ports can be used only with an ICL license. After the addition or removal of a license, the license enforcement is performed on the ICL ports only when the portdisable and portenable commands are issued on the ports. An ICL license must be installed on both DC Directors forming the ICL connection.

attached switches.

manage using Web Tools.

any switch you want to use in a zone.

38 Standard features

Time-based licenses

A time-based license applies a try-before-you-buy approach to certain features so that you can experience the feature and its capabilities prior to buying the license. Once you have installed the license, you are given a time limit to use the feature. The following lists the types of licenses that have this feature:

• FCIP

• Fabric

• Extended Fabric

• Trunking

• Advanced Performance Monitoring

If you downgrade your switch to a version earlier than 6.x, the time-based license will no longer be available. The license will remain on the switch, but you will not be able to use it.

Once the time-base license is installed you cannot change the time of the switch until the time-based license is removed. You will need to remove the license, change the date, and then reinstall the license on the switch.

High Availability considerations

Whenever license database is modified then it is synchronized with the standby CP. When the active CP is Fabric OS 6.1.0 and has time-based licenses installed, and the standby CP is Fabric OS 6.0.0 or earlier then, upon HA failover the time-based license would no longer be supported on the director or enterprise-class platform. You would not have access to the time-based licensed feature until the CPs Fabric OS 6.1.0 or later. If both CPs have a Fabric OS 6.1.0 or later there will be no change to the time-based licenses or their associated features.

Firmware upgrade and downgrade consideration

When a time-based license is present on the switch, and you downgrade the firmware to Fabric OS 6.0.0 or earlier, then the firmware downgrade will be blocked.

Configupload and Configdownload considerations

The configdownload and configupload commands will download the legacy, enhanced, consumed capacities, and time-based licenses.

Expired licenses

Once a license has expired, you will not be able to view it through the licenseShow command. Expired licenses behave in the same way a license that has been removed from the switch. If your license has expired, you will need to reboot the switch for the expiry to take affect.

Ports on Demand (POD) licensing

NOTE: See the hardware reference guide for your switch for the specific POD licensing available.

POD licensing is ready to be unlocked in the switch firmware. Its license key may be part of the licensed paperpack supplied with switch software, or you can purchase the license key separately from HP. You may need to generate a license key from a transaction key supplied with your purchase, see ”Generating a

license key” on page 35.

Each POD license activates the next group of eight ports in numerical order. For example, the 4/8 SAN Switch or 4/16 SAN Switch activates the first eight with four port increments. Before installing a license key, you must insert transceivers in the ports to be activated. Remember to insert the transceivers in the lowest group of inactive port numbers first.

For example in a SAN Switch 4/32, if only 16 ports are currently active and you are installing one POD license key, make sure to insert the transceivers in ports 16 through 23. If you later install a second license key, insert the transceivers in ports 24 through 31. For details on inserting transceivers, see the switch’s Hardware Reference Manual.

Fabric OS 6.x administrator guide 39

After you install a license key, you must enable the ports to complete their activation. You can do so without disrupting switch operation by issuing the portEnable command on each port. Alternatively, you can disable and reenable the switch to activate ports.

NOTE: If you enable or disable an active port you will disrupt any traffic and potentially lose data flowing

on that port.

If the port is connected to another switch, you will segment the switch from the fabric and all traffic flowing between the disabled port and the fabric will be lost.

Activating POD

To activate POD:

1. Connect to the switch and log in on an admin account.

2. Optional: To verify the current states of the ports, use the portShow command.

In the portShow output, the Licensed field indicates whether the port is licensed.

3. Install the Ports on Demand license; see ”Enter the information in the required fields.” on page 35.

4. Use the portEnable command to enable the ports.

5. Optional: Use the portShow command to check the newly activated ports.

If you remove a POD license, the licensed ports will become disabled after the next platform reboot or the next port deactivation.

Configuring Dynamic Ports on Demand

The Brocade 4Gb SAN Switch for HP c-Class BladeSystem supports blade modules. This switch supports the Dynamic Ports on Demand (DPOD) feature. The Dynamic POD feature automatically assigns POD licenses from a pool of available licenses based on the server blade installation.

How ports are assigned to licenses

The Dynamic POD feature detects and assigns ports to a POD license only if the server blade is installed with an HBA present. A server blade that does not have a functioning HBA is treated as an inactive link during initial POD port assignment.

The Dynamic POD feature assigns the ports to the POD license as they come online. Typically, assignments are sequential, starting with the lowest port number. However, variations in the equipment attached to the ports can cause the ports to take different amounts of time to come online. This means that the port assignment order is not guaranteed.

If the switch detects more active links than allowed by the current POD licenses, then some ports will not be assigned a POD license. Ports that do not receive a POD assignment show No Sync or In Sync status; these ports are not allowed to progress to the online state. Ports that cannot be brought online because of insufficient POD licenses show a (No POD License) Disabled status. (Use the switchShow command to display the port states.)

To allocate licenses to a specific port instead of automatically assigning them as the ports come online, reserve a license for the port using the licensePort command described in ”Managing POD licenses” on page 42. The port receives a POD assignment if any are available.

After a port is assigned to the POD set, the port is licensed until it is manually removed from the POD port set using the licensePort Single, or Double), it creates a vacancy in that port set.

--release command. When a port is released from its POD port set (Base,

40 Standard features

Displaying the port license assignment

Use the licensePort --show command to display the available licenses, the current port assignment of those licenses, and the POD method state (dynamic or static).

To display the port licenses:

1. Connect to the switch and log in using an admin account.

2. Enter the licensePort

switch:admin> licenseport --show 24 ports are available in this switch Full POD license is installed Static POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 24 ports are assigned to installed licenses: 12 ports are assigned to the base switch license 12 ports are assigned to the full POD license Ports assigned to the base switch license: 1, 2, 3, 4, 5, 6, 7, 8, 17, 18, 19, 20 Ports assigned to the full POD license: 0, 9, 10, 11, 12, 13, 14, 15, 16, 21, 22, 23

The example above shows output from a switch that manually assigned POD licenses.

--show command.

Activating Dynamic Ports on Demand

If the switch is in the Static POD mode, then activating the Dynamic POD will erase any prior port license assignments the next time the switch is rebooted. The static POD assignments become the initial Dynamic POD assignments. After the Dynamic POD feature is enabled, you can customize the POD license associations.

IMPORTANT: The Dynamic POD feature is supported on the Brocade 4Gb SAN Switch for HP c-Class

BladeSystem only.

To enable Dynamic Ports on Demand:

1. Connect to the switch and log in using an admin account.

2. Enter the licensePort

assignment method to dynamic.

switch:admin> licenseport --method dynamic The POD method has been changed to dynamic. Please reboot the switch now for this change to take effect.

3. Enter the reboot command to restart the switch.

switch:admin> reboot

4. Enter the licensePort

switch:admin> licenseport --show 24 ports are available in this switch Full POD license is installed Dynamic POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 8 ports are assigned to installed licenses: 8 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license:

--method command with the dynamic option to change the license

--show command to verify that the switch started the Dynamic POD feature.

Fabric OS 6.x administrator guide 41

1, 2, 5, 6, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 3, 4, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20

16 license reservations are still available for use by unassigned ports 1 license assignment is held by an offline port (indicated by *)

Disabling Dynamic Ports on Demand

Disabling the Dynamic POD feature (changing the POD method to static), erases any prior port license associations or assignments the next time the switch is rebooted.

To disable Dynamic Ports on Demand:

1. Connect to the switch and log in using an admin account.

2. Enter the licensePort

assignment method to static.

switch:admin> licenseport --method static The POD method has been changed to static. Please reboot the switch now for this change to take effect.

3. Enter the reboot command to restart the switch.

switch:admin> reboot

4. Enter the licensePort --show command to verify the switch started the Static POD feature.

--method command with the static option to change the license

Managing POD licenses

This section explains how to allocate licenses by reserving and releasing POD assignments to specific ports. Disabled ports are not candidates for automatic license assignment by the Dynamic POD feature. Persistently disable an otherwise viable port to prevent it from coming online, and thereby preserve a license assignment for another port.

Before you can re-assign a license, you must disable the port and release the license.

Reserving a license

Reserving a license for a port assigns a POD license to that port whether the port is online or offline. That license will not be available to other ports that come online before the specified port.

To reserve a port license:

1. Connect to the switch and log in using an admin account.

2. Enter the licensePort

42 Standard features

--show command to verify that there are port reservations still available.

12 port assignments are provisioned by a full POD license 10 ports are assigned to installed licenses: 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1*, 2*, 3*, 4*, 5*, 6*, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20

3. If a port reservation is available, then issue the licensePort --reserve command to reserve a

license for the port.

switch:admin> licenseport -reserve 0

4. If all port reservations are assigned, select a port to release its POD license. You must disable the port

first by entering the command portdisable <port num>.

5. Enter the licensePort

switch:admin> licenseport --release 0

--release command to remove the port from the POD license.

6. Enter the licensePort --show command to verify there is an available port reservation.

switch:admin> licenseport --show 24 ports are available in this switch Full POD license is installed Dynamic POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 10 ports are assigned to installed licenses: 10 ports are assigned to the base switch license 0 ports are assigned to the full POD license Ports assigned to the base switch license: 1*, 2*, 3*, 4*, 5*, 6*, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20

7. Enter the switchEnable command to bring the switch back online.

switch:admin> switchenable

Releasing a port

Releasing a port removes it from the POD set; the port will appear as unassigned until it comes back online. Persistently disabling the port will ensure that the port cannot come back online and be automatically assigned to a POD assignment.

To release a port from a POD set:

1. Connect to the switch and log in using an admin account.

2. Enter the switchDisable command to take the switch offline.

switch:admin> switchdisable

3. Enter the switchShow command to verify the switch state is offline.

4. Enter the licensePort

switch:admin> licenseport --release 0

5. Enter the licensePort --show command to verify the port is no longer assigned to a POD set.

--release command to remove the port from the POD license.

Fabric OS 6.x administrator guide 43

Ports assigned to the base switch license: 1*, 2*, 3*, 4*, 5*, 6*, 8*, 21, 22, 23 Ports assigned to the full POD license: None Ports not assigned to a license: 0, 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 switch:admin>

6. Enter the switchEnable command to bring the switch back online.

7. Enter the switchShow command to verify the switch state is now online.

Disabling and enabling switches

By default, the switch is enabled after power is applied and diagnostics and switch initialization routines have finished. You can disable and reenable it as necessary.

To disable a switch:

1. Connect to the switch and log in using an admin account.

2. Enter the switchDisable command.

All Fibre Channel ports on the switch are taken offline. If the switch was part of a fabric, the fabric is reconfigured.

To enable a switch:

1. Connect to the switch and log in using an admin account.

2. Enter the switchEnable command.

All Fibre Channel ports that passed the POST test are enabled. If the switch has interswitch links (ISLs) to a fabric, it joins the fabric.

Disabling and enabling ports

By default, all licensed ports are enabled. You can disable and reenable them as necessary. Ports that you activate with Ports on Demand must be enabled explicitly, as described in ”Activating ports on demand” on page 37.

WARNING! The fabric will be reconfigured if the port you are enabling or disabling is connected to

another switch.

The switch whose port has been disabled will be segmented from the fabric and all traffic flowing between it and the fabric will be lost.

To disable a port:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the following command:

switch:admin> portdisable portnumber

where portnumber is the port number of the port you want to disable.

For 4/256 SAN Director and DC SAN Backbone Director (short name, DC Director): Enter the following command:

switch:admin> portdisable slotnumber/portnumber where slotnumber and portnumber are the slot and port numbers of the port you want to disable.

To enable a port:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

switch:admin> portenable portnumber

where portnumber is the port number of the port you want to enable.

44 Standard features

For 4/256 SAN Director and DC Director: Enter the following command:

switch:admin> portenable slotnumber/portnumber where slotnumber and portnumber are the slot and port numbers of the port you want to enable. (Slots are numbered 1 through 4 and 7 through 10, counting from left to right.)

If the port is connected to another switch, the fabric may be reconfigured. If the port is connected to one or more devices, these devices become available to the fabric.

If you change port configurations during a switch failover, the ports may become disabled. To bring the ports online, re-issue the portEnable command after the failover is complete.

Making basic connections

You can make basic connections to devices and to other switches.

Before connecting a switch to a fabric that contains switches running different firmware versions, you must first set the same PID format on all switches. The presence of different PID formats in a fabric causes fabric segmentation.

• For information on PID formats and related procedures, see ”Selecting a PID format” on page 465.

• For information on configuring the routing of connections, see ”Routing traffic” on page 205.

3. For information on configuring extended interswitch connections, see ”Administering Extended Fabrics”

on page 361.

Connecting to devices

To minimize port logins, power off all devices before connecting them to the switch. For devices that cannot be powered off, first use the portDisable command to disable the port on the switch, and then connect the device. When powering the devices back on, wait for each device to complete the fabric login before powering on the next one.

Connecting to other switches

See the hardware reference guide for your specific switch for interswitch link (ISL) connection and cable management information. The standard or default ISL mode is L0. ISL Mode L0 is a static mode, with the following maximum ISL distances:

• 10 km at 1 Gbps

• 5 km at 2 Gbps

• 2.5 km at 4 Gbps

• 1. 25 k m a t 8 G b ps

ISL mode L0 is available on all Fabric OS releases. When you upgrade from Fabric OS 5.3.0 to Fabric 6.x or later, all extended ISL ports are set automatically to L0 mode.

For information on extended ISL modes, which enable longer distance interswitch links, see ”Administering

Extended Fabrics” on page 361.

Linking through a gateway

A gateway merges SANs into a single fabric by establishing point-to-point E_Port connectivity between two Fibre Channel switches that are separated by a network with a protocol such as IP or SONET.

Except for link initialization, gateways are transparent to switches; the gateway simply provides E_Port connectivity from one switch to another.

By default, switch ports initialize links using the Exchange Link Parameters (ELP) mode 1. However, gateways expect initialization with ELP mode 2, also referred to as ISL R_RDY mode. Therefore, to enable two switches to link through a gateway, the ports on both switches must be set for ELP mode 2.

Fabric OS 6.x administrator guide 45

Any number of E_Ports in a fabric can be configured for gateway links, provided the following rules are followed:

• All switches in the fabric must be upgraded to Fabric OS 5.2.0 or later.

• All switches in the fabric are using the core PID format.

• The switches connected to both sides of the gateway are included when determining switch count

maximums.

• Extended links (those created using the Extended Fabrics licensed feature) and the security features if

you are running a Fabric OS version earlier than 6.x in Secure Fabric OS are not supported through gateway links.

To configure a link through a gateway:

1. If you are not sure if the PID format is consistent across the entire fabric, enter the configShow

command on all switches to check the PID setting. If necessary, change the PID format on any nonconforming switches, as described in ”Configuring the PID format” on page 463.

2. Connect to the switch on one end of the gateway and log in using an admin account.

3. Enter the portCfgIslMode command that is appropriate for your hardware model:

4/8 SAN Switch and 4/16 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, and 400 Multi-protocol Router:

portCfgIslMode <port, mode>

Specify a port number. Valid values for port number vary depending on the switch type. The mode operand is required: specify 1 to enable ISL R_RDY mode (gateway link) or specify 0 to disable it.

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director):

portCfgIslMode <slot/port, mode> Specify a slot/port number pair. Valid values for slot and port number vary depending on the switch

type. The mode operand is required: specify 1 to enable ISL R_RDY mode (gateway link) or specify 0 to disable it.

In the following example, slot 2, port 3 is enabled for a gateway link:

switch:admin> portcfgislmode 2/3, 1 Committing configuration...done. ISL R_RDY Mode is enabled for port 3. Please make sure the PID formats are consistent across the entire fabric. switch:admin>

4. Repeat the steps for any additional ports that will be connected to the gateway.

5. Repeat the procedure on the switch at the other end of the gateway.

Checking status

You can check the status of switch operation, High Availability features, and fabric connectivity.

To check switch operation:

1. Connect to the switch and log in using an admin account.

2. Enter the switchShow command. This command displays a switch summary and a port summary.

3. Check that the switch and ports are online.

4. Use the switchStatusShow command to further check the status of the switch.

High Availability (HA) features provide maximum reliability and nondisruptive replacement of key hardware and software modules.

To verify HA features (Directors only):

1. Connect to the switch using an account with admin role

2. Enter the chassisShow command to verify the field replaceable units (FRUs).

46 Standard features

3. Enter the haShow to verify that HA is enabled, the heartbeat is up, and that the HA state is

synchronized between the active and standby CP blades.

4. Enter the slotShow to display the inventory and the current status of each slot in the system.

To verify fabric connectivity:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the fabricShow command. This command displays a summary of all the switches in the fabric.

switch:admin> fabricshow Switch ID Worldwide Name Enet IP Addr FC IP Addr Name

The Fabric has 4 switches

To verify device connectivity:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Optional: Enter the switchShow command to verify that devices, hosts, and storage are connected.

3. Optional: Enter the nsShow command to verify that devices, hosts, and storage have successfully

registered with the name server.

4. Enter the nsAllShow command to display the 24-bit Fibre Channel addresses of all devices in the

fabric.

switch:admin> nsallshow { 010e00 012fe8 012fef 030500 030b04 030b08 030b17 030b18 030b1e 030b1f 040000 050000 050200 050700 050800 050de8 050def 051700 061c00 071a00 073c00 090d00 0a0200 0a07ca 0a07cb 0a07cc 0a07cd 0a07ce 0a07d1 0a07d2 0a07d3 0a07d4 0a07d5 0a07d6 0a07d9 0a07da 0a07dc 0a07e0 0a07e1 0a0f01 0a0f02 0a0f0f 0a0f10 0a0f1b 0a0f1d 0b2700 0b2e00 0b2fe8 0b2fef 0f0000 0f0226 0f0233 0f02e4 0f02e8 0f02ef 210e00 211700 211fe8 211fef 2c0000 2c0300 611000 6114e8 6114ef 611600 620800 621026 621036 6210e4 6210e8 6210ef 621400 621500 621700 621a00 75 Nx_Ports in the Fabric } switch:admin>

The number of devices listed should reflect the number of devices that are connected.

To show switches in Access Gateway mode:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the agShow command.

switch:admin> agshow Worldwide Name Ports Enet IP Addr Firmware Local/Remote Name

-------------------------------------------------------------10:00:00:05:1e:02:1d:b0 16 10.32.53.4 v5.2.1 local ag_01 10:00:00:05:1e:03:4b:e7 24 10.32.60.95 v5.2.1 local ag_02 10:00:00:05:1e:35:a2:58 20 10.32.53.180 v5.2.1 remote ag_03

This command displays all the switches in Access Gateway mode in the fabric.

Fabric OS 6.x administrator guide 47

Tracking and controlling switch changes

The track changes feature allows you to keep a record of specific changes that may not be considered switch events, but may provide useful information. The output from the track changes feature is dumped to the system messages log for the switch. Use the errDump or errShow command to view the log.

Items in the log created from the Track changes feature are labeled TRCK.

Trackable changes are:

• Successful login

• Unsuccessful login

• Logout

• Configuration file change from task

• Track changes on

• Track changes off

An SNMP-TRAP mode can also be enabled (see the trackChangesHelp command in the Fabric OS Command Reference).

For troubleshooting information on the track changes feature, see ”Inaccurate information in the system

message log” on page 320.

To enable the track changes feature:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter this command to enable the track changes feature: trackChangesSet 1.

A message displays, verifying that the track changes feature is on:

switch:admin> trackchangesset 1 Committing configuration...done. switch:admin>

3. Use the errDump or errShow command to view the log.

2004/08/24-08:45:43, [TRCK-1001], 212,, INFO, ras007, Successful login by user admin.

To display the status of the track changes feature:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the trackChangesShow command.

The status of the track changes feature is displayed as either on or off. The display includes whether or not the track changes feature is configured to send SNMP traps.

switch:admin> trackchangesshow Track changes status: ON Track changes generate SNMP-TRAP: NO switch:admin>

48 Standard features

To view the switch status policy threshold values:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the switchStatusPolicyShow command.

Whenever there is a switch change, an error message is logged and an SNMP connUnitStatusChange trap is sent.

The output is similar to the following:

switch:admin> switchstatuspolicyshow The current overall switch status policy parameters: Down Marginal

--------------------------------- PowerSupplies 3 0 Temperatures 2 1 Fans 2 1 WWN 0 1 CP 0 1 Blade 0 1 Flash 0 1 MarginalPorts 2 1 FaultyPorts 2 1 MissingSFPs 0 0

The policy parameter determines the number of failed or inoperable units for each contributor that will trigger a status change in the switch.

Each parameter can be adjusted so that a specific threshold must be reached before that parameter changes the overall status of a switch to MARGINAL or DOWN. For example, if the FaultyPorts DOWN parameter is set to 3, the status of the switch will change if 3 ports fail. Only one policy parameter needs to pass the MARGINAL or DOWN threshold to change the overall status of the switch.

For more information about setting policy parameters, see the Fabric Watch Administrator’s Guide.

To set the switch status policy threshold values:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the switchStatusPolicySet command.

The current switch status policy parameter values are displayed. You are prompted to enter values for each DOWN and MARGINAL threshold parameter.

By setting the DOWN and MARGINAL values for a parameter to 0,0 that parameter is no longer used in setting the overall status for the switch.

Fabric OS 6.x administrator guide 49

3. Verify the threshold settings you have configured for each parameter.

Enter the switchStatusPolicyShow command to view your current switch status policy configuration.

HP StorageWorks 4/8 SAN Switch and 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocol Router:

switch:admin> switchstatuspolicyset To change the overall switch status policy parameters

The current overall switch status policy parameters: Down Marginal

--------------------------------- PowerSupplies 2 1 Temperatures 2 1 Fans 2 1 Flash 0 1 MarginalPorts 2 1 FaultyPorts 2 1 MissingSFPs 0 0

Note that the value, 0, for a parameter, means that it is NOT used in the calculation. ** In addition, if the range of settable values in the prompt is (0..0), ** the policy parameter is NOT applicable to the switch. ** Simply hit the Return key.

Bad PowerSupplies contributing to DOWN status: (0..2) [2] 0 Bad PowerSupplies contributing to MARGINAL status: (0..2) [1] 0 Bad Temperatures contributing to DOWN status: (0..6) [2] 0 Bad Temperatures contributing to MARGINAL status: (0..6) [1] 0 Bad Fans contributing to DOWN status: (0..3) [2] 0 Bad Fans contributing to MARGINAL status: (0..3) [1] 0 Out of range Flash contributing to DOWN status: (0..1) [0] 0 Out of range Flash contributing to MARGINAL status: (0..1) [1] 0 MarginalPorts contributing to DOWN status: (0..32) [2] 0 MarginalPorts contributing to MARGINAL status: (0..32) [1] 0 FaultyPorts contributing to DOWN status: (0..32) [2] 0 FaultyPorts contributing to MARGINAL status: (0..32) [1] 0 MissingSFPs contributing to DOWN status: (0..32) [0] 0 MissingSFPs contributing to MARGINAL status: (0..32) [0] 0

Policy parameter set has been changed rint12:admin>

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director): Command output includes parameters related to CP blades.

Configuring the audit log

When managing SANs, you may want to filter, or audit certain classes of events to ensure that you can view and generate an audit log for what is happening on a switch, particularly for security-related event changes if you are running a Fabric OS version earlier than 6.x. These events include login failures, zone configuration changes, firmware downloads, and other configuration changes—in other words—critical changes that have a serious effect on the operation and security of the switch.

Important information related to event classes is also tracked and made available. For example, you can track changes from an external source by the user name, IP address, or type of management interface used to access the switch.

Auditable events are generated by the switch and streamed to an external host through a configured system message log daemon (syslog). You specify a filter on the output to select the event classes that are sent through the system message log. The filtered events are streamed chronologically and sent to the system message log on an external host in the specified audit message format. This ensures that they can

50 Standard features

be easily distinguished from other system message log events that occur in the network. Then, at some regular interval of your choosing, you can review the audit events to look for unexpected changes.

Before you configure audit event logging, familiarize yourself with the following audit event log behaviors and limitations:

• By default, all event classes are configured for audit; to create an audit event log for specific events, you

must explicitly set a filter with the class operand and then enable it.

• Audited events are generated specific to a switch and have no negative impact on performance.

• If you are running Fabric OS versions earlier than 6.x, all Secure Fabric OS events are audited.

• Events are not persistently stored on the switch but are streamed to a system message log.

• The audit log depends on the system message log facility and IP network to send messages from the

switch to a remote host. Because the audit event log configuration has no control over these facilities, audit events can be lost if the system message log and IP network facilities fail.

• If too many events are generated by the switch, the system message log will become a bottleneck and

audit events will be dropped by the Fabric OS.

• If the user name, IP address, or user interface is not transported, an audit message is logged by adding

the message None to each of the respective fields.

• For High Availability, the audit event logs exist independently on both active and standby CPs. The

configuration changes that occur on the active CP are propagated to the standby CP and take effect.

• Audit log configuration is updated through a configuration download.

See the Fabric OS Command Reference for more information about the auditCfg command and command syntax.

Auditable event classes

You configure the audit log using the auditCfg command. Before configuring an audit log, you must select the event classes you want audited. When enabled, the audit log feature audits any RASLog messages (system message log) previously tagged as AUDIT in Fabric OS 6.x. The audit log includes:

• SEC-3001 through SEC-3017

• SEC-3024 through SEC-3029

• ZONE-3001 through ZONE-3012

Table 5 identifies auditable event classes and auditCfg operands used to enable auditing of a specific

class.

Table 5 AuditCfg event class operands

Operand Event class Description

1 Zone Audit zone event configuration changes, but not the actual values that

2 Security Audit any user-initiated security events for all management interfaces. For

3 Configuration Audit configuration downloads of existing SNMP configuration

were changed. For example, a message may state, “Zone configuration has changed,” but the syslog does not display the actual values that were changed.

events that have an impact on an entire fabric, an audit is generated only for the switch from which the event was initiated.

parameters. Configuration uploads are not audited.

4 Firmware Audit firmware download start, firmware complete, and any other errors

encountered during a firmware download.

5 Fabric Audit administrative domain-related changes.

Fabric OS 6.x administrator guide 51

NOTE: Only the active CP can generate audit messages because event classes being audited occur only

on the active CP. Audit messages cannot originate from other blades in a Director.

Audit events have the following message format:

AUDIT, <Timestamp>, [<Event ID>], <Severity>, <Event Class>, <User ID>/<Role>/<IP address>/<Interface>,<Admin Domain>/<Switch name>,<Reserved>,<Event-specific information>

Switch names are logged for switch components and Director names for Director components. For example, a Director name may be FWDL or RAS and a switch component name may be zone, name server, or SNMP.

Pushed messages contain the administration domain of the entity that generated the event. See the Fabric OS Message Reference for details on message formats. See ”Working with Diagnostic Features” on page 285 for details on setting up the system error log daemon.

Audit logging assumes that your syslog is operational and running. Before configuring an audit log, you must perform the following steps to ensure that the host syslog is operational.

To verify host syslog prior to configuring the audit log:

1. Set up an external host machine with a system message log daemon running to receive the audit events

that will be generated.

2. On the switch where the audit configuration is enabled, enter the syslogdipaddrAdd command to

add the IP address of the host machine so that it can receive the audit events. You can use IPv4, IPv6, or DNS names for the syslogdipaddrAdd command.

3. Ensure the network is configured with a network connection between the switch and the remote host.

4. Check the host SYSLOG configuration. If all error levels are not configured, you may not see some of

the audit messages.

To configure an audit log for specific event classes:

1. Connect to the switch from which you wish to generate an audit log and log in using an account

assigned to the admin role.

2. Enter the auditCfg

switch:admin> auditcfg --class 2,4 Audit filter is configured.

--class command, which defines the specific event classes to be filtered.

The auditCfg event class operands are identified in Table 5.

3. Enter the auditCfg

--enable command, which enables audit event logging based on the classes

configured in step 2.

switch:admin> auditcfg --enable Audit filter is enabled.

To disable an audit event configuration, enter the auditCfg --disable command.

4. Enter the auditCfg

--show command to view the filter configuration and confirm that the correct

event classes are being audited, and the correct filter state appears (enabled or disabled).

switch:admin> auditcfg --show Audit filter is enabled. 2-SECURITY 4-FIRMWARE

5. To verify the audit event log setup, make a change affecting an enabled event class, and confirm that

the remote host machine receives the audit event messages. The following example shows the SYSLOG (system message log) output for audit logging.

Jun 2 08:33:04 [10.32.220.7.2.2] raslogd: AUDIT, 2006/06/02-15:25:53, [SULB-1003], INFO, FIRMWARE, root/root/NONE/console/CLI, ad_0/ras007_chassis, , Firmwarecommit has started. Jun 5 06:45:33 [10.32.220.70.2.2] raslogd: AUDIT, 2006/06/05-13:38:17, [CONF-1010], INFO, CONFIGURATION, root/root/NONE/ console/CLI, ad_0/ras070, , configDownload failed

52 Standard features

Jun 5 08:15:32 [10.32.248.73.2.2] raslogd: AUDIT, 2006/06/05-13:38:17, [SEC-1000], WARNING, SECURITY, JaneDoe/root/192.168.132.19/ telnet, Domain A/DoeSwitch, , Incorrect password during login attempt.

Shutting down switches and Directors

To avoid corrupting your file system, HP recommends that you perform graceful shutdowns of switches and Directors. The following procedure describes how to gracefully shut down a switch.

To power off a switch:

1. Connect to the switch and log in using an account assigned to the admin role.

2. Enter the sysShutdown command.

3. At the prompt, enter y.

switch:admin> sysshutdown This command will shutdown the operating systems on your switch. You are required to power-cycle the switch in order to restore operation. Are you sure you want to shutdown the switch [y/n]?y

4. Wait until the following message displays:

Broadcast message from root (ttyS0) Wed Jan 25 16:12:09 2006...

The system is going down for system halt NOW !! INIT: Switching to runlevel: 0 INIT: Sending processes the TERM signal Unmounting all filesystems. The system is halted flushing ide devices: hda Power down.

5. Power off the switch.

To power off a Director:

1. From the active CP in a dual CP platform, enter the sysShutdown command.

When the sysShutdown command is issued on the active CP, the active CP, the standby CP, and any AP blades are all shut down.

2. At the prompt, enter y.

3. Wait until you see the following message:

2006/01/25-17:01:40, [FSSM-1003], 194,, WARNING, NANDU, HA State out of sync HA is disabled

Broadcast message from root (ttyS0) Wed Jan 25 17:01:41 2006...

4. Power off the switch.

High Availability of daemon processes

Fabric OS 6.x supports automatic restart of non-critical daemons. Starting these non-critical daemons is automatic, you cannot configure the startup process. The following sequence of events occurs when a non-critical daemon fails:

1. When a non-critical daemon fails or dies, a RASLog and AUDIT event message is logged.

2. The daemon is automatically started again.

3. If the restart is successful, then another message is sent to RASLog and AUDIT reporting the successful

restart status.

4. If the restart fails, another message is sent to RASLog and no further attempts are made to restart the

daemon.

Fabric OS 6.x administrator guide 53

Schedule downtime and reboot the switch at your convenience. Table 6 lists the daemons that are considered non-critical and are automatically restarted on failure.

Table 6 Daemons that are automatically restarted

Daemon Description

Arrd Asynchronous Response Router (used to send management data to hosts when the switch is accessed

through the APIs (FA API or SMI-S).

Cald Common Access Layer Daemon (used by Manageability Applications).

Evmd Event Monitor Daemon (used by port and switch SCNs, firmwareDownload, and configDownload)

Raslogd Remote Access Service Log Daemon logs error detection, reporting, handling, and presentation of

data into a format readable by management tools and the user.

Rpcd Remote Procedure Call daemon used by the API (Fabric Access API and SMI-S).

Snmpd Simple Network Management Protocol Daemon.

Traced Trace Daemon. Provides trace entry date/time translation to Trace Device at startup and when

date/time changed by command. Maintains the trace dump trigger parameters in a Trace Device. Performs the trace Background Dump, trace automatic FTP, and FTP “aliveness check” if auto-FTP is enabled.

Trackd Track Changes Daemon.

Webd Webserver daemon used for Web Tools (includes httpd as well).

54 Standard features

2 Managing user accounts

This chapter provides information and procedures on managing authentication and user accounts for the switch management channel.

Overview

In addition to the default accounts—root, factory, admin, and user—Fabric OS supports up to 252 additional user-defined accounts in each logical switch (domain). These accounts expand your ability to track account access and audit administrative activities.

Each user-defined account is associated with the following:

• Admin Domain list—Specifies what Admin Domains a user account is allowed to log in to.

• Home Admin Domain—Specifies the Admin Domain that the user is logged in to by default. The home

Admin Domain must be a member of the user’s Admin Domain list.

• Role—Determines functional access levels within the bounds of the user’s current Admin Domain.

Fabric OS provides three options for authenticating users—remote RADIUS services, remote LDAP service, and the local switch user database. All options allow users to be centrally managed using the following methods:

• Remote RADIUS servers—Users are managed in a remote RADIUS server. All switches in the fabric

can be configured to authenticate against the centralized remote database.

• Remote LDAP servers—Users are managed in a remote LDAP server. All switches in the fabric can

be configured to authenticate against the centralized remote database.

• Local user database—Users are managed using the local user database. The local user database

is manually synchronized using the distribute command to push a copy of the switch’s local user database to all other Fabric OS 5.3.0 and later switches in the fabric.

Accessing the management channel

Table 7 shows the number of simultaneous login sessions allowed for each role. The roles are displayed in

alphabetic order which does not reflect their importance.

Table 7 Maximum number of simultaneous sessions

Role name Maximum sessions

Admin 2

BasicSwitchAdmin 4

FabricAdmin 4

Operator 4

SecurityAdmin 4

SwitchAdmin 4

User 4

ZoneAdmin 4

Fabric OS 6.x administrator guide 53

Using Role-Based Access Control (RBAC)

Role-Based Action Control (RBAC) defines the capabilities that a user account has based on the role the account has been assigned. For each role, there is a set of pre-defined permissions on the jobs and tasks that can be performed on a fabric and its associated fabric elements. Fabric OS 6.x uses RBAC to determine which commands a user can issue.

When you log in to a switch, your user account is associated with a pre-defined role. The role that your account is associated with determines the level of access you have on that switch and in the fabric. Table 8 outlines the Fabric OS predefined roles.

Table 8 Fabric OS 6.x roles

Role name Fabric OS version Duties Description

Admin All All administration All administrative commands.

BasicSwitchAdmin 5.2.0 and later Restricted switch

administration

FabricAdmin 5.2.0 and later Fabric and switch

administration

Operator 5.2.0 and later General switch

administration

SecurityAdmin 5.3.0 and later Restricts security

functions

SwitchAdmin 5.0.0 and later Local switch

administration

User All Monitoring only Nonadministrative use, such as

ZoneAdmin 5.2.0 and later Zone administration Zone management commands only.

Mostly monitoring with limited switch (local) commands.

All switch and fabric commands, excludes user management and Administrative Domains commands.

Routine switch maintenance commands.

All switch security and user management functions.

Most switch (local) commands, excludes security, user management, and zoning commands.

monitoring system activity.

You can perform these operations only on the primary FCS switch.

For legacy users with no Admin Domain specified, the user will have access to AD 0 through 255 (physical fabric admin) if their current role is Admin; otherwise, the user will have access to AD0 only.

If some Admin Domains have been defined for the user and all of them are inactive, the user will not be allowed to log in to any switch in the fabric.

If no Home Domain is specified for a user, the system provides a default home domain. The default home domain for the predefined account is AD0. For user-defined accounts, the default home domain is the Admin Domain in the user’s Admin Domain list with the lowest ID.

54 Managing user accounts

Role permissions

Table 9 describes the types of permissions that are assigned to roles.

Table 9 Permission types

Abbreviation Definition Description

O Observe The user can run commands using options that display information only,

M Modify The user can run commands using options that create, change, and

such as running userConfig --show -a to show all users on a switch.

delete objects on the system, such as running userconfig

--change username -r rolename to change a user’s role.

OM Observe and

modify

N None The user is not allowed to run commands in a given category.

The user can run commands using both observe and modify options; if a role has modify permissions, it almost always has observe.

Table 10 shows the permission type for categories of commands that each role is assigned. The

permissions apply to all commands within the specified category. For a complete list of commands and role permissions, see the Fabric OS Command Reference.

Table 10 RBAC permissions matrix

Category Role permission

User Operator Switch

admin

Zone admin

Fabric admin

Basic switch

Admin Security

admin

Admin Domains N N N N N N OM O

Admin Domains—Selection OM OM OM OM OM OM OM OM

Access Gateway O OM OM O OM O OM N

APM O O OM N OM O OM N

Audit O O O O O O OM OM

Authentication N N N N N N OM OM

Blade O OM OM N OM O OM N

admin

Chassis Configuration O OM OM N OM O OM N

Configuration Management N O O O O O OM O

Data Migration Manager N N N N N N OM N

Debug N N N N N N N N

Diagnostics O OM OM N OM O OM N

Ethernet Configuration O O OM N OM O OM N

Fabric O O O O OM O OM O

Fabric Distribution N N N N OM N OM OM

Fabric Routing O O O O OM O OM N

Fabric Watch O OM OM N OM O OM N

FICON O OM OM N OM O OM N

Firmware Management O OM OM O OM O OM O

FRU Management O OM OM N OM O OM N

Fabric OS 6.x administrator guide 55

Table 10 RBAC permissions matrix (continued)

Category Role permission

User Operator Switch

admin

Zone admin

Fabric admin

Basic switch

Admin Security

admin

HA (High Availability) O O OM N OM O OM O

iSCSI O O O O OM O OM N

License O OM OM O OM O OM O

LDAP N N N N N N OM OM

Local User Environment OM OM OM OM OM OM OM OM

Logging O OM OM O OM O OM OM

Management Access Configuration

Management Server O OM OM O OM O OM N

Name Server O O OM O OM O OM N

Nx_Port Management O M OM N OM O OM N

Physical Computer System O O O O O O O O

PKI O O O N O O OM OM

Por t Mirroring N N N N N N OM N

QOS O OM OM O OM OM OM O

OOMOMNOMOOMN

RADIUS N N N N N N OM OM

Routing—Advanced O O O N OM O OM N

Routing—Basic O OM OM O OM O OM N

Security O N O N OM O OM OM

Session Management O OM OM N OM OM OM OM

SNMP O O OM N OM O OM OM

Statistics O OM OM N OM O OM N

Statistics—Device O OM OM N OM O OM N

Statistics—Port O OM OM N OM O OM N

Switch Configuration O OM OM N OM O OM OM

Switch Management O OM OM O OM O OM O

Switch Management—IP Configuration

Switch Port Configuration O OM OM N OM OM OM N

Switch Port Management O OM OM O OM OM OM O

Topology O O O N OM O OM N

User Management N N N N N N OM OM

OOMOMNOMOOMOM

WWN Card O OM OM N OM N OM N

Zoning O O O OM OM O OM O

Set the authentication model on each switch. Refer to ”Authentication model” on page 65 for more information.

56 Managing user accounts

Managing the local database user accounts

User add, change, and delete operations are subject to the subset rule: an admin with ADlist 0-10 cannot perform operations on an admin, user, or any role with an ADlist 11-25. The user account being changed must have an ADlist that is a subset of the account that is making the change.

About the default accounts

Fabric OS provides the following predefined accounts in the local switch user database. The password for all default accounts should be changed during the initial installation and configuration for each switch.

Table 11 lists default local user accounts.

Table 11 Default local user accounts

Account

Role Admin

name

admin Admin AD0-255

factory Factory AD0-255

root Root AD0-255

user User AD0

Defining local user accounts

In addition to the default administrative and user accounts, Fabric OS supports up to 252 user-defined accounts in each logical switch (domain). These accounts expand your ability to track account access and audit administrative activities.

The following procedures can be performed on local user accounts. Administrators can act on other accounts only if that account has an Admin Domain list that is a subset of the administrator.

To display account information:

1. Connect to the switch and log in using an admin account.

2. Enter the appropriate show operands for the account information you want to display:

• userConfig

• userConfig specified admindomain_ID

--show -a to show all account information for a logical switch

--show -b to show all backup account information for a logical switch

--show username to show account information for the specified account

--showad -a admindomain_ID to show all accounts permitted to select the

Description

domain

Most commands have observe-modify permission.

home: 0

Reserved.

home: 0

Reserved.

home: 0

Most commands have observe-only permission.

home: 0

Fabric OS 6.x administrator guide 57

To create an account:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

userConfig --add <username> -r <rolename> [-h <admindomain_ID>] [-a <admindomain_ID_list>] [-d <description>] [-x]

username Specifies the account name, which must begin with an alphabetic

character. The name can be from 8 to 40 characters long. It is case-sensitive and can contain alphabetic and numeric characters, the period (.) and the underscore ( _ ). It must be different than all other account names on the logical switch. The account name cannot be the same as a role name.

-r rolename Specifies the role: User, SwitchAdmin, ZoneAdmin, FabricAdmin, BasicSwitchAdmin, Operator, or Admin in nonsecure mode; in secure mode you can also use NonfcsAdmin.

-h admindomain_ID Optional: Specifies the home Administrative Domain; if no Administrative Domain is specified, then the lowest numbered Administrative Domain in the list is assigned.

-a admindomain_ID_list Optional: Specifies which Administrative Domains the user may access; if no Administrative Domains are listed, the user is automatically assigned to AD0. Use comma-separated lists, ranges, or both for example -a 0,9,10-15,244.

-d description Optional: Adds a description to the account. The description field can be up to 40 printable ASCII characters long. The following characters are not allowed: asterisk (*), single quotation mark (‘), quotation mark (“), exclamation point (!), semicolon (;), and colon (:).

-x Specifies an expired password that must be changed the first time the user logs in.

3. In response to the prompt, enter a password for the account.

The password is not displayed when you enter it on the command line.

To delete an account:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

userConfig --delete username

where username specifies the account name You cannot delete the default accounts. An account cannot delete itself. All active CLI sessions for the

deleted account are logged out.

3. At the prompt for confirmation, enter y.

58 Managing user accounts

To change account parameters:

When changing account parameters, if you change the ADlist for the user account, all of the currently active sessions for that account will be logged out.

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

userconfig --change username [-r rolename] [-h admindomain_ID] [-a admindomain_ID_list] [-d description] [-e yes | no] -u -x

username Specifies the account for which parameters are being changed.

-r rolename Changes the role to one of the names listed in Table 8 on

page 54. In secure mode, role can also be changed to nonfcsadmin role. An account cannot change its own role. Account with Admin role can change the role names of all user-defined accounts except those with Admin roles.

-h admindomain_ID Optional: Changes the home Administrative Domain; if no Administrative Domain is specified, then the lowest numbered Administrative Domain in the list is assigned.

-a

admindomain_ID_lis t

Optional: Changes which Administrative Domains the user may access; if no Administrative Domains are listed, the user is automatically assigned to AD0. Use comma-separated lists, ranges, or both for example -a 0,9,10-15,244.

-d description Optional: Changes the description to the account. The description field can be up to 40 printable ASCII characters long. The following characters are not allowed: asterisk (*), single quotation mark (‘), quotation mark (“), exclamation point (!), semicolon (;), and colon (:).

-e Optional: Enables or disables the account. Enter yes to enable the account or no to disable it. If you disable an account, all active CLI sessions for that account are logged out. You can enable or disable user-defined or default accounts.

-u Unlocks the user account.

-x Specifies an expired password that must be changed the first

time the user logs in.

To add an Administrative Domain to the account:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

userConfig --addad <username> [-h <admindomain_ID>] [-a <admindomain_ID_list>]

where <username> is the account to which the Administrative Domain is being added (the account must already exist) <admindomain_ID> is the home Administrative Domain and <admindomain_ID_list> adds the new list Administrative Domain to the existing list.

3. Log into the switch again to verify access to the newly-added Admin Domain.

To remove an Administrative Domain from the account:

When removing an Admin Domain from an account, all of the currently active sessions for that account will be logged out.

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

userConfig --deletead <username> [-h <admindomain_ID>] [-a <admindomain_ID_list>]

where <username> is the account from which the Admin Domain is being removed (the account must already exist) admindomain_ID is the home Admin Domain, and admindomain_ID_list is the Admin Domain list to be removed from the existing list. If the –h argument is not specified, the home Admin Domain will either remain as it was or will be the lowest Admin Domain ID in the remaining list.

Fabric OS 6.x administrator guide 59

Recovering accounts

The following conditions apply to recovering user accounts:

• The attributes in the backup database replace the attributes in the current account database.

• An event is stored in the system message log, indicating that accounts have been recovered.

To recover an account:

1. Connect to the switch and log in using an admin account.

2. If a backup database exists, enter the following command.

userConfig --recover

The AD list for a user account is not recovered; recovered accounts are given access only to AD0, regardless of previous AD assignments

Changing local account passwords

The following rules apply to changing passwords:

• Users can change their own passwords.

• Only users with Admin roles can change the password for other accounts. When changing an Admin

account password, you must provide the current password.

• An admin with ADlist 0-10 cannot change the password on an admin, user, or any role with an ADlist

11-25. The user account being changed must have an ADlist that is a subset of the account that is making the change.

• A new password must have at least one character different from the old password.

• You cannot change passwords using SNMP.

NOTE: Starting with Fabric OS 4.4.0, accounts with the Admin role can use Web Tools to change

passwords. Starting with Fabric OS 3.2.0, you cannot change default account names. Starting with Fabric OS 5.1.0 password policies apply.

For information on password behavior when you upgrade (or downgrade) firmware, see ”Upgrading and

downgrading firmware” on page 166.

To change the password for the current login account:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

passwd

3. Enter the requested information at the prompts.

To change the password for a different account:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

passwd "name"

where name is the name of the account for which the password is being changed.

3. Enter the requested information at the prompts.

60 Managing user accounts

Configuring the local user database

This section covers the following topics:

• ”Distributing the local user database” on page 61

• ”Protecting the local user database from distributions” on page 61

• ”Configuring password policies” on page 62

Distributing the local user database

Distributing the local switch user database and passwords to other switches in the fabric causes the distributed database to replace (overwrite) the database on the target switch. The ‘Locked’ status of a user account is not distributed as part of local user database distribution.

When distributing the user database, the database may be rejected for one of the following reasons:

• One of the target switches does not have Fabric OS 5.3.0 or later.

• One of the target switch’s user database is protected.

Distribute the user database and password policies only to Fabric OS 5.2.0 or later switches; the distribution command fails if any of the target switches are an earlier version.

To distribute the local user database:

When distributing the local user database, all user-defined accounts residing in the receiving switches will be logged out of any active sessions.

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

distribute -p PWD -d <switch_list>

where <switch_list> is a semicolon-separated list of switch Domain IDs, switch names, or switch WWN addresses. You can also specify -d “*” to send the local user database only to Fabric OS 5.2.0 or later switches in the fabric.

Protecting the local user database from distributions

Fabric OS 5.2.0 and later allows you to distribute the user database and passwords to other switches in the fabric. When the switch accepts a distributed user database, it replaces the local user database with the user database it receives.

By default, Fabric OS 6.x switches accept the user databases and passwords distributed from other switches. This section explains how to protect the local user database from being overwritten.

To accept distribution of user databases on the local switch:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

fddCfg --localaccept PWD

where PWD is the user database policy. Other supported policy databases are SCC, DCC, AUTH, FCS, and IPFILTER.

To reject distributed user databases on the local switch:

1. Connect to the switch and log in using an admin account.

2. Enter the following command:

fddCfg --localreject PWD

Fabric OS 6.x administrator guide 61

Configuring password policies

The password policies described in this section apply to the local switch user database only. Configured password policies (and all user account attribute and password state information) are synchronized across CPs and remain unchanged after an HA failover. Password policies can also be manually distributed across the fabric (see ”Distributing the local user database” on page 61). Following is a list of the configurable password policies:

• Password strength

• Password history

• Password expiration

• Account lockout

All password policies are enforced during logins to the standby CP. However, you may observe that the password enforcement behavior on the standby CP is inconsistent with prior login activity because password state information from the active CP is automatically synchronized with the standby CP, thereby overwriting any password state information that was previously stored there. Also, password changes are not permitted on the standby CP.

Password authentication policies configured using the passwdCfg command are not enforced during initial prompts to change default passwords.

Setting the password strength policy

The password strength policy is enforced across all user accounts, and enforces a set of format rules to which new passwords must adhere. The password strength policy is enforced only when a new password is defined. The total of the other password strength policy parameters (lowercase, uppercase, digits, and punctuation) must be less than or equal to the value of the MinLength parameter.

Use the following attributes to set the password strength policy:

•

Lowercase

Specifies the minimum number of lowercase alphabetic characters that must appear in the password. The default value is zero. The maximum value must be less than or equal to the MinLength value.

•

Uppercase

Specifies the minimum number of uppercase alphabetic characters that must appear in the password. The default value is zero. The maximum value must be less than or equal to the MinLength value.

• Digits

Specifies the minimum number of numeric digits that must appear in the password. The default value is zero. The maximum value must be less than or equal to the MinLength value.

•

Punctuation

Specifies the minimum number of punctuation characters that must appear in the password. All printable, non-alphanumeric punctuation characters except colon ( : ) are allowed. The colon character is not allowed because it is incompatible with Web Tools. The default value is zero. The maximum value must be less than or equal to the MinLength value.

•

MinLength

Specifies the minimum length of the password. The minimum can be from 8 to 40 characters. New passwords must between the minimum length specified and 40 characters. The default value is 8. The maximum value must be greater than or equal to the MinLength value.

•

Repeat

Specifies the length of repeated character sequences that will be disallowed. For example, if the “repeat” value is set to 3, a password “passAAAword” is disallowed because it contains the repeated sequence “AAA”. A password of “passAAword” would be allowed because no repeated character sequence exceeds two characters. The range of allowed values is 1 – 40. The default value is 1.

62 Managing user accounts

•

Sequence

Specifies the length of sequential character sequences that will be disallowed. A sequential character sequence is defined as a character sequence in which the ASCII value of each contiguous character differs by one. The ASCII value for the characters in the sequence must all be increasing or decreasing. For example, if the “sequence” value is set to 3, a password “passABCword” is disallowed because it contains the sequence “ABC”. A password of “passABword” would be allowed because it contains no sequential character sequence exceeding two characters. The range of allowed values is 1 – 40. The default value is 1.

The following example shows a password strength policy that requires passwords to contain at least three uppercase characters, four lowercase characters and two numeric digits; the minimum length of the password is nine characters.

passwdcfg --set -uppercase 3 -lowercase 4 -digits 2 -minlength 9

Setting the password history policy

The password history policy prevents users from recycling recently used passwords, and is enforced across all user accounts when users are setting their own passwords. The password history policy is enforced only when a new password is defined.

Specify the number of past password values that are disallowed when setting a new password. Allowable password history values range between 1 and 24. The default value is 2, which means the current password cannot be reused. The value 2 indicates that the current and the two previous passwords cannot be used (and so on, up to 24 passwords).

This policy does not verify that a new password meets a minimal standard of difference from prior passwords, rather, it only determines whether or not a newly-specified password is identical to one of the specified number (1-24) of previously used passwords.

The password history policy is not enforced when an administrator sets a password for another user; instead, the user’s password history is preserved and the password set by the administrator is recorded in the user’s password history.

Setting the password expiration policy

The password expiration policy forces expiration of a password after a configurable period of time, and is enforced across all user accounts. A warning that password expiration is approaching is displayed when the user logs in. When a user’s password expires, he or she must change the password to complete the authentication process and open a user session. You can specify the number of days prior to password expiration during which warnings will commence. Password expiration does not disable or lock out the account.

Use the following attributes to set the password expiration policy:

•

MinPasswordAge

Specifies the minimum number of days that must elapse before a user can change a password. MinPasswordAge values range from 0 to 999. The default value is zero. Setting this parameter to a non-zero value discourages users from rapidly changing a password in order to circumvent the password history setting to select a recently-used password. The MinPasswordAge policy is not enforced when an administrator changes the password for another user.

•

MaxPasswordAge

Specifies the maximum number of days that can elapse before a password must be changed, and is also known as the password expiration period. MaxPasswordAge values in range from 0 to 999. The default value is zero. Setting this parameter to zero disables password expiration.

•

Warning

Specifies the number of days prior to password expiration that a warning about password expiration is displayed. Warning values range from 0 to 999. The default value is 0 days.

When MaxPasswordAge is set to a non-zero value, MinPasswordAge and Warning must be set to a value that is less than or equal to MaxPasswordAge.

Fabric OS 6.x administrator guide 63

Upgrade and downgrade considerations

If you are upgrading from a 5.3.x environment to 6.x, the existing password databases do not contain the state information that implements password expiration. So, when the password expiration policy is first set after an upgrade to 6.x, any user who has not changed their password will have their password expiration period set to the maximum password expiration period. You must explicitly define the password expiration for users who have not performed a password change subsequent to the upgrade.

For example:

• March 1st—Using a 5.3.x Fabric OS release. User A changes their password.

• April 1—Upgrade to 6.x

• May 1—User B changes his password.

• June 1—The password configuration parameter MaxPasswordAge is set to 90 days.

User A’s password will expire on September 1. User B’s password will expire on August 1.

Setting the account lockout policy

The account lockout policy disables a user account when that user exceeds a specified number of failed login attempts, and is enforced across all user accounts. You can configure this policy to keep the account locked until explicit administrative action is taken to unlock it, or the locked account can be automatically unlocked after a specified period. Administrators can unlock a locked account at any time.

A failed login attempt counter is maintained for each user on each switch instance. The counters for all user accounts are reset to zero when the account lockout policy is enabled. The counter for an individual account is reset to zero when the account is unlocked after a LockoutDuration period expires.

The admin account can also have the lockout policy enabled on it. The admin account lockout policy is disabled by default and uses the same lockout threshold as the other roles. It can be automatically unlocked after the lockout duration passes or when it is manually unlocked by either a user account that has a securityAdmin or other Admin role.

• userConfig —change <account name> -u

• passwdCfg —disableadminlockout

Note that the account-locked state is distinct from the account-disabled state.

Use the following attributes to set the account lockout policy:

•

LockoutThreshold

Specifies the number of times a user can attempt to log in using an incorrect password before the account is locked. The number of failed login attempts is counted from the last successful login. LockoutThreshold values range from 0 to 999, and the default value is 0. Setting the value to 0 disables the lockout mechanism.

•

LockoutDuration

Specifies the time, in minutes, after which a previously locked account is automatically unlocked. LockoutDuration values range from 0 to 99999, and the default value is 30. Setting the value to 0 disables lockout duration, and would require a user to seek administrative action to unlock the account. The lockout duration begins with the first login attempt after the LockoutThreshold has been reached. Subsequent failed login attempts do not extend the lockout period.

To enable the admin lockout policy:

1. Log in to the switch using an admin or securityAdmin account.

2. Type passwdCfg

The policy is now enabled.

--enableadminlockout.

To unlock an account:

1. Log in to the switch using an admin or securityAdmin account.

2. Type userConfig

where <account_name> is the name of the user account that is locked out.

64 Managing user accounts

--change <account_name> -u.

To disable the admin lockout policy:

1. Log in to the switch using an admin or securityAdmin account.

2. Type passwdCfg --disableadminlockout.

The policy is now disabled.

Denial of service implications

The account lockout mechanism may be used to create a denial of service condition by repeatedly attempting to log in to an account using an incorrect password. Selected privileged accounts are exempted from the account lockout policy to prevent them from being locked out from a denial of service attack. However these privileged accounts may then become the target of password guessing attacks. Audit logs may be examined to monitor if such attacks are attempted.

Authentication model

This section discusses the authentication model of the switch management channel connections using the aaaConfig command. Fabric OS 6.x supports the use of both the local user database and the RADIUS service at the same time; and the local user database and LDAP using Microsoft’s Active Directory in Windows at the same time. Table 12 on page 66 outlines the available command options.

When configured to use RADIUS or LDAP, the switch acts as a network access server (NAS) and RADIUS or LDAP client. The switch sends all authentication, authorization, and accounting (AAA) service requests to the RADIUS or LDAP server. The RADIUS or LDAP server receives the request, validates the request, and sends its response back to the switch.

The supported management access channels that will integrate with RADIUS and LDAP include serial port, Telnet, SSH, Web Tools, and API. All these require the switch IP address or name to connect. The RADIUS server accepts both IPv4 and IP address formats, while LDAP server accepts only an IPv4 address.

A switch can be configured to try both RADIUS or LDAP and local switch authentication.

For systems such as the HP 4/256 SAN Director and DC SAN Backbone Director (DC Director), the switch IP addresses are aliases of the physical Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches in such systems, make sure the CP IP addresses are used. For accessing both the active and standby CP, and for the purpose of HA failover, both CP IP addresses of a Director should be included in the RADIUS or LDAP server configuration.

When configured for RADIUS or LDAP, a switch becomes a RADIUS or LDAP client. In either of these configurations, authentication records are stored in the RADIUS or LDAP host server database. Login and logout account name, assigned role, and time-accounting records are also stored on the RADIUS or LDAP server for each user.

By default, the RADIUS and LDAP services are disabled, so AAA services default to the switch local database.

To enable RADIUS or LDAP service, it is strongly recommended that you access the CLI through an SSH connection so that the shared secret is protected. Multiple login sessions can configure simultaneously, and the last session to apply a change leaves its configuration in effect. After a configuration is applied, it persists after a reboot or an HA failover.

To enable LDAP service, you will need to install a certificate on the Microsoft Active Directory server.

The configuration applies to all switches and on a Director the configuration replicates itself on a standby CP blade if one is present. It is saved in a configuration upload and applied in a configuration download.

You should configure at least two RADIUS servers so that if one fails, the other will assume service.

You can set the configuration with both RADIUS or LDAP service and local authentication enabled so that if the RADIUS or LDAP servers do not respond due to power failure or network problems, the switch uses local authentication.

Fabric OS 6.x administrator guide 65

Consider the following effects of the use of RADIUS or LDAP service on other Fabric OS features:

• When RADIUS or LDAP service is enabled, all account passwords must be managed on the RADIUS or

LDAP server. The Fabric OS mechanisms for changing switch passwords remain functional; however, such changes affect only the involved switches locally. They do not propagate to the RADIUS or LDAP server, nor do they affect any account on the RADIUS or LDAP server.

When RADIUS or LDAP is set up for a fabric that contains a mix of switches with and without RADIUS or LDAP support, the way a switch authenticates users depends on whether or not a RADIUS or LDAP server is set up for that switch. For a switch with RADIUS or LDAP support and configuration, authentication bypasses the local password database. For a switch without RADIUS or LDAP support or configuration, authentication uses the switch’s local account names and passwords.

• The following behaviors apply to Web Tools:

• Web Tools client and server keep a session open after a user is authenticated. A password change on a switch invalidates an open session and requires the user to log in again. When integrated with RADIUS or LDAP, a switch password change on the RADIUS or LDAP server does not invalidate an existing open session, although a password change on the local switch does.

• If you cannot log in because of a RADIUS or LDAP server connection problem, Web Tools displays a message indicating server outage.

Table 12 lists authentication configuration options.

Table 12 Authentication configuration options

aaaConfig options Description Equivalent setting in Fabric

OS 5.1.0 and earlier

--radius --switchdb

--authspec “local” Replaces --localonly.

Default setting. Authenticates management connections against the local database only.

If the password does not match or the user is not defined, the login fails.

--authspec “radius” Replaces --radiusonly

Authenticates management connections against the RADIUS database(s) only.

If the RADIUS service is not available or the credentials do not match, the login fails.

--authspec “radius;local” Replaces --radiuslocal.

Authenticates management connections against any RADIUS databases first.

If RADIUS fails for any reason, authenticates against the local user database.

--authspec “radius;local”

--backup

Replaces --radiuslocalbackup. Authenticates management connections

against any RADIUS databases. If RADIUS fails because the service is

not available, authenticates against the local user database.

Off On

On Off

not supported

On On

not supported

66 Managing user accounts

Table 12 Authentication configuration options (continued)

aaaConfig options Description Equivalent setting in Fabric

OS 5.1.0 and earlier

--radius --switchdb

--authspec “ldap” Authenticates management connections

--authspec “ldap; local” Authenticates management connections

1. Fabric OS 5.1.0 and earlier aaaConfig --switchdb <on | off> setting.

To set the switch authentication mode:

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --authspec [“radius” | “ldap” | “radius;local” | “ldap;local” --backup]

Creating Fabric OS user accounts

RADIUS and LDAP servers allow you to set up user accounts by their true network-wide identity rather than by the account names created on a Fabric OS switch. With each account name, assign the appropriate switch access roles.

RADIUS and LDAP support all the defined RBAC roles described in Table 8 on page 54.

Users must enter their assigned RADIUS or LDAP account name and password when logging in to a switch that has been configured with RADIUS or LDAP. After the RADIUS or LDAP server authenticates a user, it responds with the assigned switch role in a Brocade Vendor-Specific Attribute (VSA). If the response does not have a VSA role assignment, the User role is assigned. If no Administrative Domain is assigned, then the user is assigned to the default Admin Domain AD0.

n/a n/a against any LDAP database(s) only. If LDAP service is not available or the credentials do not match, the login fails.

n/a On against any LDAP database first. If LDAP fails for any reason, authenticates against the local user database.

The syntax used for assigning VSA-based account switch roles on a RADIUS server is described in

Table 13.

Table 13 Syntax for VSA-based account roles

Item Value Description

Type 26 1 o ctet

Length 7 or higher 1 octet, calculated by the server

Vendor ID 1588 4 octet, Brocade's SMI Private Enterprise Code

Fabric OS 6.x administrator guide 67

Table 13 Syntax for VSA-based account roles (continued)

Item Value Description

Vendor type 1 1 octet, Brocade-Auth-Role; valid attributes for the Brocade-Auth-Role

are:

SwitchAdmin ZoneAdmin FabricAdmin BasicSwitchAdmin Operator User Admin

2 Optional: Specifies the Admin Domain member list. For more

information, see ”RADIUS configuration and Admin Domains” on

page 69.

Brocade-AVPairs1

3 Brocade-AVPairs2

4 Brocade-AVPairs3

5 Brocade-AVPairs4

Vendor length 2 or higher 1 octet, calculated by server, including vendor-type and vendor-length

Attribute-specific data

ASCII string

Multiple octet, maximum 253, indicating the name of the assigned role and other supported attribute values such as Admin Domain member list.

Managing Fabric OS users on the RADIUS server

All existing Fabric OS mechanisms for managing local switch user accounts and passwords remain functional when the switch is configured to use the remote authentication dial-in user service (RADIUS). Changes made to the local switch database do not propagate to the RADIUS server, nor do the changes affect any account on the RADIUS server.

Windows 2000 IAS

For example, to configure a Windows 2000 internet authentication service (IAS) server to use VSA to pass the Admin role to the switch in the dial-in profile, the configuration specifies the Vendor code (1588), Vendor-assigned attribute number (1), and attribute value (admin), as shown in the following:

68 Managing user accounts

Linux FreeRadius server

For the configuration on a Linux FreeRadius server, define the following in a vendor dictionary file called dictionary.brocade. Include the values outlined in Table 14.

Table 14 dictionary.brocade file entries

Include Key Value

VENDOR Brocade 1588

ATTRIBUTE Brocade-Auth-Role 1 string Brocade

AdminDomain

After you have completed the dictionary file, define the role for the user in a configuration file. For example, to grant the user jsmith the Admin role, you would add the following statement to the configuration file:

jsmithAuth-Type:= Local, User-Password == "jspassword"

Brocade-Auth-Role = "admin"

RADIUS configuration and Admin Domains

When configuring users with Admin Domains, you must also include the Admin Domain member list. This section describes the way that you configure attribute types for this configuration.

The values for the new attribute types use the syntax key=val[;key=val], where key is a text description of attributes, value is the attribute value for the given key, the equal sign (=) is the separator between key and value, and the semi-colon (;) is an optional separator for multiple key-value pairs.

Multiple key-value pairs can appear for one Vendor-Type code. Key-value pairs with the same key name may be concatenated across multiple Vendor-Type codes. You can use any combination of the Vendor-Type codes to specify key-value pairs. Note that a switch always parses these attributes from Vendor-Type code 2 to Vendor-Type code 4.

Only two kinds of keys are accepted; all other keys are ignored. The following keys are accepted:

• HomeAD is the designated home Admin Domain for the account. The valid value is between 0 to 255,

inclusive. The first valid HomeAD key-value pair is accepted by the switch, and any additional HomeAD key-value pairs are ignored.

• ADList is a comma-separated list of Administrative Domain numbers to which this account is a member.

Valid numbers range from 0 to 255, inclusive. A dash between two numbers specifies a range. Multiple ADList key-value pairs within the same or across the different Vendor-Type codes are concatenated. Multiple occurrences of the same AD number are ignored.

RADIUS authentication requires that the account have a valid role through the attribute type Brocade-Auth-Role. The additional attribute values ADList and HomeAD are optional. If they are unspecified, the account can log in with AD0 as its member list and home Admin Domain. If there is an error in ADList or HomeAD specification, the account cannot log in until the AD list is corrected; an error message is displayed.

For example, on a Linux FreeRadius Server, the user (user-za) with the following settings takes the “ZoneAdmin” role, with AD member list: 1, 2, 4, 5, 6, 7, 8, 9, 12; the Home Admin Domain will be 1.

user-za Auth-Type := Local, User-Password == "password" Brocade-Auth-Role = "ZoneAdmin", Brocade-AVPairs1 = "ADList=1,2,6, Brocade-AVPairs2 = "ADList=4-8;ADList=7,9,12"

In the next example, on a Linux FreeRadius Server, the user takes the “Operator” role, with ADList 1, 2, 4, 5, 6, 7, 8, 9, 12, 20 and homeAD 2.

user-opr Auth-Type := Local, User-Password == "password" Brocade-Auth-Role = "operator", Brocade-AVPairs1 = "ADList=1,2;HomeAD=2", Brocade-AVPairs2 = "ADList=-4-8,20;ADList=7,9,12"

Fabric OS 6.x administrator guide 69

Configuring the RADIUS server

You must know the switch IP address, in either IPv4 or IPv6 notation, or name to connect to switches. Use the ipAddrShow command to display a switch IP address.

For Directors (chassis-based systems), the switch IP addresses are aliases of the physical Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches in such systems, make sure the CP blade IP addresses are used. For accessing both the active and standby CP blade, and for the purpose of HA failover, both of the CP blade IP addresses should be included in the RADIUS server configuration.

User accounts should be set up by their true network-wide identity, rather than by the account names created on a Fabric OS switch. Along with each account name, the administrator should assign appropriate switch access roles. To manage a fabric, these roles can be User, Admin, and SecurityAdmin.

When they log in to a switch configured with RADIUS, users enter their assigned RADIUS account names and passwords at the prompt. After the RADIUS server authenticates a user, it responds with the assigned switch role in a Brocade Vendor-Specific Attribute (VSA), as defined in the RFC. An Authentication-Accept response without such VSA role assignment automatically assigns the user role.

The following sections describe how to configure a RADIUS server to support clients under different operating systems.

Linux

The following procedures work for FreeRADIUS on Solaris and Red Hat Linux. FreeRADIUS is a freeware RADIUS server that you can find at the following website:

www.freeradius.org

Follow the installation instructions at the web site. FreeRADIUS runs on Linux (all versions), FreeBSD, NetBSD, and Solaris. If you make a change to any of the files used in this configuration, you must stop the server and restart it for the changes to take effect.

FreeRADIUS installation places the configuration files in $PREFIX/etc/raddb. By default, the PREFIX is /usr/local.

Configuring RADIUS service on Linux consists of the following tasks:

• Adding the Brocade attribute to the server

• Creating the user

• Enabling clients

To add the Brocade attribute to the server:

1. Create and save the file $PREFIX/etc/raddb/dictionary.brocade with the following information:

# # Brocade FabricOS 5.0.1 dictionary # VENDOR Brocade 1588 # # attribute 1 defined to be Brocade-Auth-Role # string defined in user configuration # ATTRIBUTE Brocade-Auth-Role 1 string Brocade

This defines the Brocade vendor ID as 1588, the Brocade attribute 1 as Brocade-Auth-Role, and it is a string value.

2. Open the file $PREFIX/etc/raddb/dictionary in a text editor and add the line:

$INCLUDE dictionary.brocade

As a result, the file dictionary.brocade is located in the RADIUS configuration directory and loaded for use by the RADIUS server.

70 Managing user accounts

To create the user:

• Open the $PREFIX/etc/raddb/user file in a text editor and add user names and roles for users who will

be accessing the switch and authenticating RADIUS. The user will log in using the role specified with Brocade-Auth-Role. The valid roles include Root, Admin,

SwitchAdmin, ZoneAdmin, SecurityAdmin, BasicSwitchAdmin, FabricAdmin, Operator and User. You must use quotation marks around “password” and “role”.

For example, to set up an account called JohnDoe with the Admin role:

JohnDoe Auth-Type := Local, User-Password == "johnPassword" Brocade-Auth-Role = "admin"

The next example uses the local system password file to authenticate users.

JohnDoe Auth-Type := System, Brocade-Auth-Role = "admin"

When you use Network Information Service (NIS) for authentication, the only way to enable authentication with the password file is to force the switch to authenticate using Password Authentication Protocol (PAP); this requires the -a pap option with the aaaConfig command.

Clients are the switches that will use the RADIUS server; each client must be defined. By default, all IP addresses are blocked.

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director) models send their RADIUS requests using the IP address of the active CP. When adding clients, add both the active and standby CP IP addresses so that, in the event of a failover, users can still log in to the switch.

To enable clients:

1. Open the $PREFIX/etc/raddb/client.config file in a text editor and add the switches that are to be

configured as RADIUS clients. For example, to configure the switch at IP address 10.32.170.59 as a client:

client 10.32.170.59

In this example, shortname is an alias used to easily identify the client. Secret is the shared secret between the client and server. Make sure the shared secret matches that configured on the switch (see ”To add a RADIUS server to the switch configuration:” on page 76).

Save the file $PREFIX/etc/raddb/client.config then start the RADIUS server as follows:

$PREFIX/sbin/radiusd

Windows 2000

The instructions for setting up RADIUS on a Windows 2000 server are listed here for your convenience but are not guaranteed to be accurate for your network environment. Always check with your system administrator before proceeding with setup.

Configuring RADIUS service on Windows 2000 consists of the following tasks:

• Installing internet authentication service (IAS)

For more information and instructions on installing IAS, refer to the Microsoft web site.

• Enabling the Challenge Handshake Authentication Protocol (CHAP)

If CHAP authentication is required, then Windows must be configured to store passwords with reversible encryption. Reverse password encryption is not the default behavior; it must be enabled.

If a user is configured prior to enabling reverse password encryption, then the user’s password is stored and cannot utilize CHAP. To use CHAP, the password must be re-entered after encryption is enabled. If the password is not re-entered, then CHAP authentication will not work and the user will be unable to authenticate from the switch.

• Configuring a user

IAS is the Microsoft implementation of a RADIUS server and proxy database to verify user login credentials; it does not list specific users, but instead lists user groups.

secret = Secret shortname = Testing Switch nastype = other

. IAS uses the Windows native user

Fabric OS 6.x administrator guide 71

Each user group should be associated with a specific switch login role. For example, you should configure a user group for root, admin, factory, switchadmin, and user, and then add any users whose logins you want to associate to the appropriate group.

• Configuring the server

To enable CHAP:

1. From the Windows Start menu, select Programs > Administrative Tools > Local Security

Policy to open the Local Security Settings window.

2. In the Local Security Settings window, expand the Account Policies folder and select the Password

Policy folder.

3. From the list of policies in the Password Policy folder, right-click Store password using reversible

encryption for all users in the domain, and select Security from the pop-up menu.

4. An additional Local Security Settings window appears. Click the Enabled radio button and then click

OK.

To configure users:

1. From the Windows Start menu, select Programs > Administrative Tools > Computer

Management to open the Computer Management window.

2. In the Computer Management window, expand the Local Users and Groups folder and select the

Groups folder.

3. Right-click the Groups folder and select New Group from the pop-up menu.

4. In the New Group window, provide a Name and Description for the group and click Add.

5. In the Select Users or Groups window, select the user (who should already have been configured) you

want to add to the group and click Add.

6. Repeat this for every user you want to add. When you have completed adding all users, click OK.

7. In the New Group window, verify the users you added in step 4 appear in the Members field; then

click Create to create this group. The new groups are created for each login type (admin, switchAdmin, user).

To configure the RADIUS server:

1. From the Windows Start menu, select Programs > Administrative Tools > Internet

Authentication Service to open the Internet Authentication Service window.

2. In the Internet Authentication Service window, right-click the Clients folder and select New

Client from the pop-up menu.

A client is the device that uses the RADIUS server; in this case, it is the switch.

3. In the Add Client window, provide the following:

Friendly name—The friendly name should be an alias that is easily recognizable as the switch to which you are connecting.

Protocol—Select RADIUS as the protocol.

4. In the Add RADIUS Client window, provide the following:

Client address

(IP or DNS)—Enter the IP address of the switch. Client-Vendor—Select RADIUS Standard. Shared secret—Provide a password. Shared secret is a password used between the client device

and server to prevent IP address spoofing by unwanted clients. Keep your shared secret password in a safe place. You will need to enter this password in the switch configuration.

After clicking Finish, repeat step 2 through step 4 for all switches on which RADIUS authentication will be used.

5. In the Internet Authentication Service window, right-click the Remote Access Policies folder; then select

New Remote Access Policy from the pop-up window. A remote access policy must be created for each login role (Root, Admin, Factory, SwitchAdmin, and

User) for which you want to use RADIUS. Apply this policy to the user groups that you already created.

72 Managing user accounts

6. In the Add Remote Access Policy window, enter an easily identifiable Policy friendly name that will

enable you to see the switch login for which the policy is being created; then click Next.

7. After the Add Remote Access Policy window refreshes, click Add.

8. In the Select Attribute window, select Windows Groups and click Add.

9. In the Groups window, click Add.

10. In the Select Groups window, select the user-defined group for which you are creating a policy and

click Add. After adding all appropriate groups, click OK. In the Groups window, click OK.

11 . In the Add Remote Access Policy window, confirm that the Conditions section displays the group(s) that

you selected and click Next.

12 . After the Add Remote Access Policy window refreshes, select the Grant remote access

permission radio button and click Next.

13 . After the Add Remote Access Policy window refreshes again, click Edit Profile.

14. In the Edit Dial-in Profile window, click the Authentication tab and check only the Encrypted

Authentication (CHAP) and Unencrypted Authentication (PAP, SPAP) checkboxes; then click the Advanced tab and click Add.

15 . In the Add Attributes window, select Vendor-Specific and click Add.

16. In the Multivalued Attribute Information window, click Add.

17. In the Vendor-Specific Attribute Information window, click the Enter Vendor Code radio button and

enter the value 158 8. Click the Yes. It conf orms radio button, and then click Configure

Attribute....

18. In the Configure VSA (RFC compliant) window, enter the following values and click OK.

Vendor-assigned attribute number—Enter the value 1. Attribute format—Enter String. Attribute value—Enter the login role (Root, Admin, SwitchAdmin, User, etc.) the user group must use

to log in to the switch.

19. In the Multivalued Attribute Information window, click OK

20.In the Edit Dial-in Profile window, remove all additional parameters (except the one you just added,

“Vendor-Specific”) and click OK.

21. In the Add Remote Access Policy window, click Finish.

After returning to the Internet Authentication Service window, repeat step 5 through step 21 to add additional policies for all login types for which you want to use the RADIUS server. After this is done, you can configure the switch.

LDAP configuration and Microsoft’s Active Directory

LDAP provides user authentication and authorization using Microsoft's Active Directory service in conjunction with LDAP on the switch. The following are restrictions when using LDAP:

• In Fabric OS 6.x there will be no password change through Active Directory.

• There is no automatic migration of newly created users from local switch database to Active Directory.

This is a manual process explained later.

• LDAP authentication is used on the local switch only and not for the entire fabric.

Roles for users can be added through the Microsoft Management Console. Groups created in Active Directory must correspond directly to the RBAC user roles on the switch. Role assignments can be achieved by including the user in the respective group. A user can be assigned to multiple groups like Switch Admin and Security Admin. For more information on RBAC roles, see ”Using Role-Based Access Control (RBAC)” on page 54.

NOTE: All instructions involving Microsoft’s Active Directory can be obtained from

www.microsoft.com

needs your network environment may have.

. Confer with your network administrator prior to configuration for any special

Fabric OS 6.x administrator guide 73

To set up LDAP:

1. Install a certificate on the Windows Active Directory server for LDAP. Create a user in Microsoft Active

Directory server. For instructions on how to create a user, refer to www.microsoft.com

or Microsoft

documentation to create a user in your Active Directory.

2. Create a group name that uses the switch’s role name so that the Active Directory group’s name is the

same as the switch’s role name.

3. Associate the user to the group by adding the user to the group. For instructions on how to create a user

refer to www.microsoft.com

or Microsoft documentation to create a user in your Active Directory.

4. Add the user’s Administrative Domains to the CN_list by editing the adminDescription value.

This will map the admin domains to the user name. Multiple admin domains can be added as a string value separated by the underscore character ( _ ).

To create a user:

To create a user in Active Directory, refer to www.microsoft.com

or Microsoft documentation. There are no

special attributes.

To create a group:

To create a group in Active Directory, refer to www.microsoft.com

or Microsoft documentation. You will

need to verify that the group uses the following attributes:

• The name of the group has to match the RBAC role.

• The Group Type must be Security.

• The Group Scope must be Global.

To assign the group (role) to the user:

To assign the user to a group in the Active Directory, refer to www.microsoft.com

or Microsoft

documentation. You will need to verify that the user has the following attributes:

1. Update the memberOf field with the login role (Root, Admin, SwitchAdmin, User, etc.) that the user must

use to log in to the switch.

2. From the Windows Start menu, select Programs> Administrative Tools> ADSI.msc

ADSI is a Microsoft Windows Resource Utility. This will need to be installed to proceed with the rest of the setup. For Windows 2003, this utility comes with Service Pack 1 or you can download this utility from the Microsoft website.

3. Go to CN=Users0

4. Right click on select Properties. Click the Attribute Editor tab.

5. Double-click the adminDescription attribute.

This opens the String Attribute Editor dialog box.

6. Enter the value for the admin domains separated by an underscore ( _ ) into the Value field.

Example

adlist_0_10_200_endAd

Home Admin Domain (homeAD) for the user will be the first value in the adlist (Admin Domain list). If a user has no values assigned in the adlist attribute, then the homeAD ‘0’ will be the default administrative domain for the user.

NOTE: You can perform batch operations using the Ldifde.exe utility. For more information on importing

and exporting schemas, refer to your Microsoft documentation or visit www.microsoft.com

74 Managing user accounts

Configuring authentication servers on the switch

RADIUS and LDAP configuration of the switch is controlled by the aaaConfig command.

At least one RADIUS or LDAP server must be configured before you can enable RADIUS or LDAP service. You can configure the RADIUS or LDAP service even if it is disabled on the switch. You can configure up to five RADIUS or LDAP servers. You must be logged in as admin or switchadmin to configure the RADIUS service.

NOTE: On dual-CP switches (the 4/256 SAN Director and the DC Director), the switch sends its RADIUS

or LDAP request using the IP address of the active CP. When adding clients, add both the active and standby CP IP addresses so that users can still log in to the switch in the event of a failover.

RADIUS or LDAP configuration is chassis-based configuration data. On platforms containing multiple switch instances, the configuration applies to all instances. The configuration is persistent across reboot and firmwareDownload. On a chassis-based system, the command must replicate the configuration to the standby CP.

Multiple login sessions can invoke the command simultaneously. The last session that applies the change will be the one whose configuration is in effect. This configuration is persistent after an HA failover.

The RADIUS or LDAP servers are contacted in the order they are listed, starting from the top of the list and moving to the bottom.

The following procedures show how to use the aaaConfig command to set up a switch for RADIUS or LDAP service.

To display the current RADIUS configuration:

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --show If a configuration exists, its parameters are displayed. If RADIUS or LDAP service is not configured, only

the parameter heading line is displayed. Parameters include:

Position The order in which servers are contacted to provide service. Server The server names or IPv4 or IPv6 addresses. Port The server ports. Secret The shared secrets. Timeouts The length of time servers have to respond before the next server is

contacted.

AuthenticationThe type of authentication being used on servers.

Fabric OS 6.x administrator guide 75

To add a RADIUS server to the switch configuration:

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --add <server> [-p port] [-s secret] [-t timeout] [-a pap | chap | peap-mschapv2]

server Enter either a server name or IPv4 or IPv6

address. Avoid duplicating server listings (that is, listing the same server once by name and again by IP address). Up to five servers can be added to the configuration.

-p port Optional: Enter a server port. The default is port 1812.

-s secret Optional: Enter a shared secret. The default is “sharedsecret”. Secrets can be from 8 to 40 alphanumeric characters long. Make sure that the secret matches that configured on the server.

-t timeout Optional: Enter the length of time (in seconds) that the server has to respond before the next server is contacted. The default is three seconds. Time-out values can range from 1 to 30 seconds.

-a

[pap|chap|peap-msc hapv2]

Specify PAP, CHAP or PEAP as authentication protocol. Use peap-mschapv2 to provide encrypted authentication channel between the switch and server.

To add an LDAP server to the switch configuration:

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --add <server> [-p port] [-t timeout] [-d domain_name]

server Enter either a server name or IPv4 address. Microsoft’s Active

Directory does not support IPv6 addresses. Avoid duplicating server listings (that is, listing the same server once by name and again by IP address). Up to five servers can be added to the configuration.

-p port Optional: Enter a server port. The default is port 389.

-t timeout Optional: Enter the length of time (in seconds) that the server has

to respond before the next server is contacted. The default is three seconds. Time-out values can range from 1 to 30 seconds.

-d domain_name Enter the name of the Windows domain.

At least one RADIUS or LDAP server must be configured before you can enable the RADIUS or LDAP service.

If no RADIUS or LDAP configuration exists, turning it on triggers an error message. When the command succeeds, the event log indicates that the configuration is enabled or disabled.

76 Managing user accounts

NOTE: When the RADIUS authentication mode is set to radius;local, you cannot downgrade the Fabric

OS to any version earlier than 5.2.0. Previous versions do not support the radius;local mode.

When the LDAP authentication mode is set to ldap;local, you cannot downgrade the Fabric OS to any version earlier than 6.x. Previous versions do not support the ldap;local mode.

To enable and disable a RADIUS or LDAP server:

1. Connect to the switch and log in using an admin account.

2. Enter this command to enable RADIUS or LDAP using the local database:

switch:admin> aaaconfig --authspec "<radius | ldap>;local"

where you specify the type of server as either RADIUS or LDAP, but not both. Local is used for local authentication if the user authentication fails on the RADIUS or LDAP server.

Example

switch:admin> aaaconfig --authspec "radius;local" --backup

To delete a RADIUS or LDAP server from the configuration:

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --remove server | all

server Enter either the name or IP address of the server to be removed.

When the command succeeds, the event log indicates that the server is removed.

To change a RADIUS server configuration

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --change server [-p port] [-s shared secret] [-t timeout] [-a pap|chap|peap-mschapv2]

server Enter either the name or IP address of the server to be changed.

-p port Optional: Enter a server port. The default is 1812.

-s shared secret Optional: Enter a shared secret.

-t timeout Optional: Enter the length of time (in seconds) the server has to

respond before the next server is contacted.

-a [pap|chap|peap-mscha pv2]

NOTE: Protected Extensible Authentication Protocol (PEAP) is used to authenticate users and clients. It is based on

extensible authentication protocol (EAP) and transport layer security (TLS).

When PEAP is configured on the switch, clients running Fabric Manager cannot authenticate.

Specify PAP, CHAP or PEAP as authentication protocol. Use peap-mschapv2 to provide security on the switch.

Fabric OS 6.x administrator guide 77

To change an LDAP server configuration:

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --change server [-p port] [-t timeout] [-d domain_name]

server

Enter either a server name or IPv4 address. Microsoft’s Active Directory does not support IPv6 addresses. Avoid duplicating server listings (that is, listing the same server once by name and again by IP address). Up to five servers can be added to the configuration.

-p port

-t timeout

Optional: Enter a server port. The default is port 389. Optional: Enter the length of time (in seconds) that the server has to

respond before the next server is contacted. The default is three seconds. Time-out values can range from 1 to 30 seconds.

-d

domain_name

Enter the name of the Windows domain.

To change the order in which RADIUS or LDAP servers are contacted for service:

1. Connect to the switch and log in using an admin account.

2. Enter this command:

switch:admin> aaaConfig --move server to_position

server Enter either the name or IP address of the server whose position is to be changed. to_position Enter the position number to which the server is to be moved.

When the command succeeds, the event log indicates that a server configuration is changed.

Enabling and disabling local authentication as backup

It is useful to enable local authentication so that the switch can take over authentication locally if the RADIUS or LDAP servers fail to respond because of power outage or network problems. To enable or disable local authentication, enter the following command for RADIUS:

switch:admin> aaaconfig --authspec "radius;local" --backup

or for LDAP,

switch:admin> aaaconfig --authspec "ldap;local" --backup

For details about this command see Table 12 on page 66.

When local authentication is enabled and the RADIUS or LDAP servers fail to respond, you can log in to the default switch accounts (admin and user) or any user-defined account. You must know the passwords of these accounts.

When the command succeeds, the event log indicates that local database authentication is disabled or enabled.

Boot PROM password

The boot PROM password provides an additional layer of security by protecting the boot PROM from unauthorized use. Setting a recovery string for the boot PROM password enables you to recover a lost boot PROM password by contacting HP. Without the recovery string, a lost boot PROM password cannot be recovered.

You should set the boot PROM password and the recovery string on all switches, as described in ”Setting

the boot PROM password with a recovery string” on page 79. If your site procedures dictate that you set

the boot PROM password without the recovery string, see ”Setting the boot PROM password without a

recovery string” on page 81.

78 Managing user accounts

Setting the boot PROM password with a recovery string

To set the boot PROM password with a recovery string, refer to the section that applies to your switch model.

NOTE: Setting the boot PROM password requires accessing the boot prompt, which stops traffic flow

through the switch until the switch is rebooted. You should perform this procedure during a planned down time.

HP StorageWorks 4/8 or 4/16, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocal (MP) Router

The instructions contained within this section are only for the switches listed in the title. If your switch is not listed, please contact HP for instructions.

To set the boot PROM password for a switch with a recovery string:

1. Connect to the serial port interface.

2. Press ESC within four seconds after the message “Press escape within 4 seconds...” displays.

The following options are available:

Option Description

1 Start system. Continues the system boot process.

2 Recovery password. Lets you set the recovery string and the boot PROM password.

3 Enter command shell. Provides access to boot parameters.

3. Enter 2.

If no password was previously set, the following message displays:

Recovery password is NOT set. Please set it now.

If a password was previously set, the following messages display:

Send the following string to Customer Support for password recovery: afHTpyLsDo1Pz0Pk5GzhIw== Enter the supplied recovery password.

Recovery Password:

4. Enter the recovery password (string).

The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware prompts for this password only once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell.

The following prompt displays:

New password:

5. Enter the boot PROM password, then re-enter it when prompted. The password must be eight

alphanumeric characters (any additional characters are not recorded). Record this password for future use.

The new password is automatically saved.

6. Type reset at the prompt to reboot the switch.

Fabric OS 6.x administrator guide 79

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director)

The boot PROM and recovery passwords must be set for each CP blade on the 4/256 SAN Director or DC Director.

To set the boot PROM password for a Director with a recovery string:

1. Connect to the serial port interface on the standby CP blade.

2. Connect to the active CP blade by serial or Telnet and enter the haDisable command to prevent

failover during the remaining steps.

3. Reboot the standby CP blade by sliding the On/Off switch on the ejector handle of the standby CP

blade to Off, and then back to On.

4. Press ESC within four seconds after the message “Press escape within 4 seconds...” displays.

The following options are available:

Option Description

1 Start system. Continues the system boot process. 2 Recovery password. Lets you set the recovery string and the boot PROM password. 3 Enter command shell. Provides access to boot parameters.

5. Enter 2.

If no password was previously set, the following message displays:

Recovery password is NOT set. Please set it now.

If a password was previously set, the following messages display:

Send the following string to Customer Support for password recovery: afHTpyLsDo1Pz0Pk5GzhIw== Enter the supplied recovery password.

Recovery Password:

6. Enter the recovery password (string).

The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware only prompts for this password once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell.

The following prompt displays:

New password:

7. Enter the boot PROM password, then re-enter it when prompted. The password must be eight

alphanumeric characters (any additional characters are not recorded). Record this password for future use.

The new password is automatically saved (the saveEnv command is not required).

8. Connect to the active CP blade using serial or Telnet and enter the haEnable command to restore

High Availability; then fail over the active CP blade by entering the haFailover command. Traffic flow through the active CP blade resumes when the failover is complete.

9. Connect the serial cable to the serial port on the new standby CP blade (previously the active

CP blade).

10. Repeat step 2 through step 7 for the new standby CP blade (each CP blade has a separate boot PROM

password).

11 . Connect to the active CP blade by serial or Telnet and enter the haEnable command to restore High

Availability.

80 Managing user accounts

Setting the boot PROM password without a recovery string

Although you can set the boot PROM password without also setting the recovery string, it is strongly recommended that you set both the password and the string as described in ”Setting the boot PROM

password with a recovery string” on page 79. If your site procedures dictate that you must set the boot

PROM password without the string, follow the procedure that applies to your switch model.

Setting the boot PROM password requires accessing the boot prompt, which stops traffic flow through the switch until the switch is rebooted. You should perform this procedure during a planned down time.

HP StorageWorks 4/8 or 4/16, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocal (MP) Router

The password recovery instructions contained within this section are only for the switches listed in the title. If your switch is not listed, contact HP for instructions.

To set the boot PROM password for a switch without a recovery string:

1. Create a serial connection to the switch.

2. Enter the reboot command to reset the switch.

3. Press ESC within four seconds after the message “Press escape within 4 seconds...” displays.

The following options are available:

Option Description

1 Start system. Continues the system boot process. 2 Recovery password. Lets you set the recovery string and the boot PROM password. 3 Enter command shell. Provides access to boot parameters.

4. Enter 3.

5. At the shell prompt, enter the passwd command.

NOTE: The passwd command only applies to the boot PROM password when it is entered from the boot

interface.

6. Enter your boot PROM password at the prompt, then re-enter it when prompted. The password must be

eight alphanumeric characters (any additional characters are not recorded). Record this password for future use.

7. Enter the saveEnv command to save the new password.

8. Enter the reboot command to reset the switch.

4/256 SAN Director and DC SAN Backbone Director (short name, DC Director)

On 4/256 SAN Director and DC Director models, set the password on the standby CP blade, fail over, and then set the password on the previously active (now standby) CP blade to minimize disruption to the fabric.

To set the boot PROM password for a Director without a recovery string:

1. Determine the active CP blade by opening a Telnet session to either CP blade, connecting as admin,

and entering the haShow command.

2. Connect to the active CP blade by serial or Telnet and enter the haDisable command to prevent

failover during the remaining steps.

3. Create a serial connection to the standby CP blade.

4. Reboot the standby CP blade by sliding the On/Off switch on the ejector handle of the standby CP

blade to Off, and then back to On. This causes the blade to reset.

5. Press ESC within four seconds after the message

Press escape within 4 seconds... displays.

Fabric OS 6.x administrator guide 81

The following options are available:

Option Description

1 Start system. Continues the system boot process. 2 Recovery password. Lets you set the recovery string and the boot PROM password. 3 Enter command shell. Provides access to boot parameters.

6. Enter 3.

7. Enter the passwd command at the shell prompt.

NOTE: The passwd command only applies to the boot PROM password when it is entered from the boot

interface.

8. Enter your boot PROM password at the prompt, then re-enter it when prompted. The password must be

eight alphanumeric characters (any additional characters are not recorded). Record this password for future use.

9. Enter the saveEnv command to save the new password.

10. Reboot the standby CP blade by entering the reset command. 11 . Connect to the active CP blade by serial or Telnet and enter the haEnable command to restore High

Availability; then fail over the active CP blade by entering the haFailover command. Traffic resumes flowing through the newly active CP blade after it has completed rebooting.

12 . Connect the serial cable to the serial port on the new standby CP blade (previously the active

CP blade).

13 . Repeat step 3 through step 10 for the new standby CP blade.

14. Connect to the active CP blade by serial or Telnet and enter the haEnable command to restore High

Availability.

Recovering forgotten passwords

If you know the root password, you can use this procedure to recover the password for the default accounts of user, admin, and factory.

To recover passwords:

1. Open a CLI connection (serial or Telnet) to the switch.

OR Connect to the primary FCS switch, if one exists in your fabric.

2. Log in as root.

3. Enter the command for the type of password that was lost:

passwd user passwd admin passwd factory

4. Enter the requested information at the prompts.

To recover a lost root password or boot PROM password, contact HP. You must have previously set a recovery string to recover the boot PROM password.

NOTE: Contact HP to recover a lost root password or boot PROM password. You must have previously set

a recovery string to recover the boot PROM password.

82 Managing user accounts

3 Configuring standard security features

This chapter provides information and procedures for configuring standard Fabric OS security features such as protocol and certificate management.

IMPORTANT: Secure Fabric OS is no longer supported in Fabric OS 6.x.

Secure protocols

Fabric OS supports the secure protocols shown in Table 15.

Table 15 Secure protocol support

Protocol Description

SSL Supports SSLv3, 128-bit encryption by default. Fabric OS uses SSL to support

HTTPS. A certificate must be generated and installed on each switch to enable SSL.

HTTPS Web Tools supports the use of HTTPS.

Secure File Copy (scp) Configuration upload and download support the use of scp.

SNMPv3 SNMPv1 and v2 are also supported.

Simple Network Management Protocol (SNMP) is a standard method for monitoring and managing network devices. Using SNMP components, you can program tools to view, browse, and manipulate switch variables and set up enterprise-level management processes.

Every switch carries an SNMP agent and Management Information Base (MIB). The agent accesses MIB information about a device and makes it available to a network manager station. You can manipulate information of your choice by trapping MIB elements using the Fabric OS CLI, Web Tools, or Fabric Manager.

The SNMP Access Control List (ACL) provides a way for the administrator to restrict SNMP get and set operations to certain hosts and IP addresses. This is used for enhanced management security in the storage area network.

For details on Brocade MIB files, naming conventions, loading instructions, and information about using Brocade's SNMP agent, see the Fabric OS MIB Reference.

Table 16 describes additional software or certificates that you must obtain to deploy secure protocols.

Table 16 Items needed to deploy secure protocols

Protocol Host side Switch side

SSH SSH client None

HTTPS No requirement on host

side except a browser that supports HTTPS

Secure File Copy (scp) SSH daemon, scp server None

SNMPv1, SNMPv2, SNMPv3

None None

Switch IP certificate for SSL

Fabric OS 6.x administrator guide 83

The security protocols are designed with the four main usage cases described in Table 17.

Table 17 Main security scenarios

Fabric Management

Comments

interfaces

Nonsecure Nonsecure No special setup is needed to use Telnet or HTTP.

Nonsecure Secure Secure protocols may be used. An SSL switch certificate must be

installed if HTTPS is used.

Secure Secure Secure protocols are supported on Fabric OS v4.1.0 and later

switches. Switches running earlier Fabric OS versions can be part of the secure fabric, but they do not support secure management.

Secure management protocols must be configured for each participating switch. Nonsecure protocols may be disabled on nonparticipating switches.

If SSL is used, then certificates must be installed.

Secure Nonsecure You must use SSH because Telnet is not allowed with some

features, such as RADIUS. Nonsecure management protocols are necessary under these

circumstances: The fabric contains switches running Fabric OS v3.2.0. The presence of software tools that do not support secure

protocols: for example, Fabric Manager v4.0.0. The fabric contains switches running Fabric OS versions earlier than v4.4.0. Nonsecure management is enabled by default.

Ensuring network security

To ensure security, Fabric OS supports secure shell (SSH) encrypted sessions in 4.1.x and later. SSH encrypts all messages, including the client’s transmission of password during login. The SSH package contains a daemon (sshd), which runs on the switch. The daemon supports a wide variety of encryption algorithms, such as Blowfish-CBC and AES.

NOTE: To maintain a secure network, you should avoid using Telnet or any other unprotected application

when you are working on the switch.

The FTP protocol is also not secure. When you use FTP to copy files to or from the switch, the contents are in clear text. This includes the remote FTP server's login and password. This limitation affects the following commands: saveCore, configUpload, configDownload, and firmwareDownload.

Commands that require a secure login channel must originate from an SSH session. If you start an SSH session, and then use the login command to start a nested SSH session, commands that require a secure channel will be rejected.

Fabric OS 4.1.0 and later supports SSH protocol version 2.0 (ssh2). For more information on SSH, refer to the SSH IETF website:

http://www.ietf.org/ids.by.wg/secsh.html

For more information, refer to SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett, Richard Silverman.

84 Configuring standard security features

Configuring the Telnet protocol

Telnet is enabled by default. To prevent users from passing clear text passwords over the network when they connect to the switch, you can block the Telnet protocol using an IP Filter policy.

NOTE: Before blocking Telnet, make sure you have an alternate method of establishing a connection with

the switch.

Blocking Telnet

To block Telnet:

1. Connect to the switch and log in as admin.

Connect through some means other than Telnet: for example, through SSH.

2. Create a policy:

ipfilter --create <policyname> -type < ipv4 | ipv6 >

where <policyname> is the name of the new policy and -type specifies an IPv4 or IPv6 address.

Example

ipfilter --create block_telnet_v4 --type ipv4

3. Add a rule to the policy, by typing the following command:

ipfilter --addrule <policyname> -rule <rule_number> -sip <source_IP> -dp <dest_port> -proto <protocol> -act <deny>

where -sip option can be given as any, dp is the port number for telnet (23), and -proto is tcp.

Example

ipfilter --addrule block_telnet_v4 -rule 2 -sip any -dp 23 -proto tcp -act deny

4. Save the new ipfilter policy by typing the following command:

ipfilter --save [policyname]

where [policyname] is the name of the policy and is optional.

Example

ipfilter --save block_telnet_v4

5. Activate the new ipfilter policy by typing the following command:

ipfilter --activate <policyname>

where <policyname> is the name of the policy you created in step

Example

ipfilter --activate block_telnet_v4

Unblocking Telnet

To unblock Telnet:

1. Connect to the switch through a means other than Telnet (for example, SSH) and log in as admin.

2. Type in the following command:

ipfilter –delete <telnet_policyname> where <telnet_policyname> is the name of the Telnet policy.

3. To permanently delete the policy, type the following command:

ipfilter --save

For more information on IP Filter policies, refer to ”Configuring advanced security features” on page 99.

Fabric OS 6.x administrator guide 85

Blocking listeners

HP switches block Linux subsystem listener applications that are not used to implement supported features and capabilities. Table 18 lists the listener applications that Brocade switches either block or do not start.

Table 18 Blocked listener applications

Listener application 4/256 SAN Director and DC SAN

Backbone Director (short name, DC Director)

FC10-6, FC4-48, FC4-16IP, FC8-16, FC8-32, FC8-48, and FR4-18i blades

chargen Disabled Disabled

echo Disabled Disabled

daytime Disabled Disabled

discard Disabled Disabled

ftp Disabled Disabled

rexec Block with packet filter Disabled

rsh Block with packet filter Disabled

rlogin Block with packet filter Disabled

time Block with packet filter Disabled

rstats Disabled Disabled

rusers Disabled Disabled

Accessing switches and fabrics

If you are using the FC-FC Routing Service, be aware that the secModeEnable command is no longer supported in Fabric OS 6.x.

Table 19 lists the defaults for accessing hosts, devices, switches, and zones.

Table 19 Access defaults

Access default

Hosts Any host can access the fabric by SNMP

Any host can Telnet to any switch in the fabric

Any host can establish an HTTP connection to any switch in the fabric

Any host can establish an API connection to any switch in the fabric

Devices All devices can access the Management Server

Any device can connect to any FC port in the fabric

Switch access Any switch can join the fabric

All switches in the fabric can be accessed through a serial port

Zoning No zoning is enabled

86 Configuring standard security features

Port configuration

The following Table provides information on ports that the switch uses. When configuring the switch for various policies, take into consideration firewalls and other devices that may sit between switches in the fabric and your network or between the managers and the switch.

Port Type Common use Comment

22 TCP SSH 23 TCP Telnet Use the ipfilter command to block the port.

12 3 T CP N T P 80 TCP HTTP Use the ipfilter command to block the port. 111 TCP sunrpc This port is used by Platform API. Use the ipfilter

161 UDP SNMP Disable the SNMP service on the remote host if you do not

443 TCP HTTPS Use the ipfilter command to block the port.

512 T C P e x e c

513 T C P l o g i n

514 T C P s h e l l

897 TCP This port is used by the Platform API. Disable this port using

command to block the port.

use it, or filter incoming UDP packets going to this port.

the configure command.

Configuring for the SSL protocol

Fabric OS 4.4.0 and later supports secure sockets layer (SSL) protocol, which provides secure access to a fabric through Web-based management tools like Web Tools. SSL support is a standard Fabric OS feature.

Switches configured for SSL grant access to management tools through hypertext transfer protocol-secure links (which begin with https://) instead of standard links (which begin with http://).

SSL uses Public Key Infrastructure (PKI) encryption to protect data transferred over SSL connections. PKI is based on digital certificates obtained from an Internet Certificate Authority (CA), which acts as the trusted key agent.

Certificates are based on the switch IP address or fully qualified domain name (FQDN), depending on the issuing CA. If you change a switch IP address or FQDN after activating an associated certificate, you may have to obtain and install a new certificate. Check with the CA to verify this possibility, and plan these types of changes accordingly.

Browser and Java support

Fabric OS supports the following Web browsers for SSL connections:

• Internet Explorer (Microsoft Windows)

• Mozilla (Solaris and Red Hat Linux)

In countries that allow the use of 128-bit encryption, you should use the latest version of your browser. For example, Internet Explorer 6.0 and later supports 128-bit encryption by default. You can display the encryption support (called “cipher strength”) using the Internet Explorer Help:About menu option. If you are running an earlier version of Internet Explorer, you may be able to download an encryption patch from the Microsoft website at http://www.microsoft.com

You should upgrade to the Java 1.5.0_06 Plug-in on your management workstation. To find the Java version that is currently running, open the Java console and look at the first line of the window.

For more details on levels of browser and Java support, see the Web Tools Administrator’s Guide.

Fabric OS 6.x administrator guide 87

Summary of SSL procedures

You configure for SSL by obtaining, installing, and activating digital certificates for SSL support. Certificates are required on all switches that are to be accessed through SSL.

You also need to install a certificate in the Java Plug-in on the management workstation, and you may need to add a certificate to your Web browser.

Configuring for SSL involves these major steps, which are shown in detail in the next sections.

1. Choose a Certificate Authority (CA).

2. Generate the following items on each switch:

a. A public/private key (secCertUtil genkey command). b. A certificate signing request (CSR) (secCertUtil gencsr command) and store the CSR on an

FTP server (secCertUtil export command).

3. Obtain the certificates from the CA.

You can request a certificate from a CA through a Web browser. After you request a certificate, the CA either sends certificate files by e-mail (public) or gives access to them on a remote host (private). Typically, the CA provides the certificate files listed in Table 20.

Table 20 SSL certificate files

Certificate file Description

name.crt The switch certificate.

nameRoot.crt The root certificate. Typically, this certificate is already installed in the

browser, but if not, you must install it.

nameCA.crt The CA certificate. It needs to be installed in the browser to verify the

validity of the server certificate or server validation fails.

4. On each switch, install and then activate the certificate.

5. If necessary, install the root certificate to the browser on the management workstation.

6. Add the root certificate to the Java Plug-in keystore on the management workstation.

Choosing a CA

To ease maintenance and allow secure out-of-band communication between switches, consider using one CA to sign all management certificates for a fabric. If you use different CAs, management services operate correctly, but the Web Tools Fabric Events button is unable to retrieve events for the entire fabric.

Each CA (for example, Verisign or GeoTrust) has slightly different requirements; for example, some generate certificates based on IP address, while others require an FQDN, and most require a 1024-bit public/private key while some may accept a 2048-bit key. Consider your fabric configuration, check CA websites for requirements, and gather all the information that the CA requires.

Generating a public/private key

Perform this procedure on each switch.

1. Connect to the switch and log in as admin.

2. Enter this command to generate a public/private key pair:

switch:admin> seccertutil genkey

The system reports that this process will disable secure protocols, delete any existing CSR, and delete any existing certificates.

3. Respond to the prompts to continue and select the key size:

Continue (yes, y, no, n): [no] y Select key size [1024 or 2048]: Generating new rsa public/private key pair Done.

1024

88 Configuring standard security features

IMPORTANT: HP recommends selecting 1024 in most cases. CA support for the 2048-bit key size is

limited.

Generating and storing a CSR

After generating a public/private key, perform this procedure on each switch.

1. Connect to the switch and log in as admin.

2. Enter this command:

switch:admin> seccertutil gencsr

3. Enter the requested information:

Country Name (2 letter code, eg, US):US State or Province Name (full name, eg, California):California Locality Name (eg, city name):San Jose Organization Name (eg, company name):Brocade Organizational Unit Name (eg, department name):Eng Common Name (Fully qualified Domain Name, or IP address): 192.1.2.3 Generating CSR, file name is: 192.1.2.3.csr Done.

Your CA may require specific codes for Country, State or Province, Locality, Organization, and Organizational Unit names. Make sure that your spelling is correct and matches the CA requirements. If the CA requires that the Common Name be specified as an FQDN, make sure that the fully qualified domain name is set on the domain name server.

4. Enter this command to store the CSR:

switch:admin> seccertutil export

5. Enter the requested information:

Select protocol [ftp or scp]: ftp Enter IP address: 192.1.2.3 Enter remote directory: path_to_remote_directory Enter Login Name: your account Enter Password: your password Success: exported CSR.

If you are set up for secure file copy protocol, you can select it; otherwise, select ftp. Enter the IP address of the switch on which you generated the CSR. Enter the remote directory name of the FTP server to which the CSR is to be sent. Enter your account name and password on the server.

Obtaining certificates

Check the instructions on the CA website; then, perform this procedure for each switch.

1. Generate and store the CSR as described in ”Generating and storing a CSR” on page 89.

2. Open a Web browser window on the management workstation and go to the CA website. Follow the

instructions to request a certificate. Locate the area in the request form into which you are to paste the CSR.

3. Through a Telnet window, connect to the switch and log in as admin.

4. Enter this command:

switch:admin> seccertutil showcsr

The contents of the CSR are displayed.

5. Locate the section that begins with “BEGIN CERTIFICATE REQUEST” and ends with “END CERTIFICATE

REQUEST”.

6. Copy and paste this section (including the BEGIN and END lines) into the area provided in the request

form; then, follow the instructions to complete and send the request.

Fabric OS 6.x administrator guide 89

It may take several days to receive the certificates. If the certificates arrive by e-mail, save them to an FTP server. If the CA provides access to the certificates on an FTP server, make note of the path name and make sure you have a login name and password on the server.

Installing a switch certificate

Perform this procedure on each switch.

1. Connect to the switch and log in as admin.

2. Enter this command:

switch:admin> seccertutil import

3. Select a protocol, enter the IP address of the host on which the switch certificate is saved, and enter

your login name and password:

Select protocol [ftp or scp]: ftp Enter IP address: Enter remote directory: path_to_remote_directory Enter certificate name (must have ".crt" suffix): Enter Login Name: your_account Enter Password: ***** Success: imported certificate [192.1.2.3.crt].

192.10.11.12

To use this certificate, run the configure command to activate it. The certificate is downloaded to the switch.

Activating a switch certificate

192.1.2.3.crt

1. Enter the configure command

2. When the ssl attributes comes up, type y

3. Respond to the prompts that apply to SSL certificates:

SSL attributes Enter y or yes. Certificate File Enter the name of the switch certificate file: for example,

192.1.2.3.crt.

CA Certificate File If you want the CA name to be displayed in the browser

window, enter the name of the CA certificate file; otherwise, skip this prompt.

Select length of crypto key Enter the encryption key length (40, 56, or 128). HTTP attributes Enter yes. Secure HTTP enabled Enter yes.

For example:

Configure... System services (yes, y, no, n): [no] ssl attributes (yes, y, no, n): [no] Certificate File. (filename or none): [10.33.13.182.crt] CA Certificate File. (filename or none): [none] Select length of crypto key. (Valid values are 40, 56, and 128.): (40..128) [128] http attributes (yes, y, no, n): [no] HTTP Enabled (yes, y, no, n): [yes] Secure HTTP Enabled (yes, y, no, n): [no]

yes

192.1.2.3.crt

yes

After you exit the configure command, the HTTP daemon restarts automatically to handle HTTPS requests.

90 Configuring standard security features

Configuring the browser

The root certificate may already be installed on your browser, but if not, you must install it. To see whether it is already installed, check the certificate store on your browser.

The next procedures are guides for installing root certificates to Internet Explorer and Mozilla browsers. For more detailed instructions, refer to the documentation that came with the certificate.

To check and install root certificates on Internet Explorer:

1. From the browser Tools menu, select Internet Options.

2. Click the Content tab.

3. Click Certificates.

4. Click the Intermediate certification authorities or Trusted Root certification authorities tabs and scroll the

lists to see if the root certificate is listed. If it is listed, you do not need to install it, forgo the remainder of this procedure.

5. If the certificate is not listed, click Import.

6. Follow the instructions in the Certificate Import wizard to import the certificate.

To check and install root certificates on Mozilla:

1. From the browser Edit menu, select Preferences.

2. In the left pane of the Preferences window, expand the Privacy & Security list and select

Certificates.

3. In the right pane, click Manage Certificates.

4. In the next window, click the Authorities tab.

5. Scroll the authorities list to see if the root certificate is listed. (For example, its name may have the form

nameRoot.crt.) If it is listed, you do not need to install it; forgo the remainder of this procedure.

6. If the certificate is not listed, click Import.

7. Browse to the certificate location and select the certificate. (For example, select nameRoot.crt.)

8. Click Open and follow the instructions to import the certificate.

Installing a root certificate to the Java plug-in

For information on Java requirements, see ”Browser and Java support” on page 87.

This procedure is a guide for installing a root certificate to the Java Plug-in on the management workstation. If the root certificate is not already installed to the plug-in, you should install it. For more detailed instructions, refer to the documentation that came with the certificate and to the Sun Microsystems website, www.sun.com

1. Copy the root certificate file from its location on the FTP server to the Java Plug-in bin. For example, the

bin location may be:

C: \program files\java\j2re1.5.0_06\bin

2. Open a command prompt window and change directory to the Java Plug-in bin.

3. Enter the keytool command and respond to the prompts:

C:\Program Files\Java\j2re1.5.0_06\bin> keytool -import -alias RootCert

-file RootCert.crt -keystore ..\lib\security\RootCerts Enter keystore password: changeit Owner: CN=Brocade, OU=Software, O=Brocade Communications, L=San Jose, ST=California, C=US Issuer: CN=Brocade, OU=Software, O=Brocade Communications, L=San Jose, ST=California, C=US Serial number: 0 Valid from: Thu Jan 15 16:27:03 PST 2007 until: Sat Feb 14 16:27:03 PST 2007 Certificate fingerprints: MD5: 71:E9:27:44:01:30:48:CC:09:4D:11:80:9D:DE:A5:E3 SHA1: 06:46:C5:A5:C8:6C:93:9C:FE:6A:C0:EC:66:E9:51:C2:DB:E6:4F:A1

Fabric OS 6.x administrator guide 91

Trust this certificate? [no]: yes Certificate was added to keystore

In the example, changeit is the default password and RootCert is an example root certificate name.

Displaying and deleting certificates

Table 21 summarizes the commands for displaying and deleting certificates. For details on the commands,

see the Fabric OS Command Reference.

Table 21 Commands for displaying and deleting SSL certificates

Command Description

secCertUtil show Displays the state of the SSL key and a list of installed certificates secCertUtil show

filename

secCertUtil showcsr Displays the contents of a CSR secCertUtil delete

filename

secCertUtil delcsr Deletes a CSR

Troubleshooting certificates

If you receive messages in the browser or in a pop-up window when logging in to the target switch using HTTPS, refer to <Link>Table 22 for recommended actions you can take.

Table 22 SSL messages and actions

Message Action

The page cannot be displayed The SSL certificate is not installed correctly or HTTPS is not

The security certificate was issued by a company you have not chosen to trust….

The security certificate has expired or is not yet valid

Displays the contents of a specific certificate

Deletes a specified certificate

enabled correctly. Make sure that the certificate has not expired, that HTTPS is enabled, and that certificate file names are configured correctly.

The certificate is not installed in the browser. Install it as described in ”Configuring the browser” on page 91.

Either the certificate file is corrupted or it needs to be updated. Click View Certificate to verify the certificate content. If it is corrupted or out of date, obtain and install a new certificate.

The name on the security certificate is invalid or does not match the name of the site file

This page contains both secure and nonsecure items. Do you want to display the nonsecure items?

92 Configuring standard security features

The certificate is not installed correctly in the Java Plug-in. Install it as described in ”Installing a root certificate to the

Java plug-in” on page 91.

Click No in this pop-up window. The session opens with a closed lock icon on the lower-right corner of the browser, indicating an encrypted connection.

Configuring for SNMP

You can configure for the automatic transmission of SNMP information to management stations. SNMPv3 and SNMPv1 are supported.

The configuration process involves configuring the SNMP agent and configuring SNMP traps. The following commands are used in the process:

• Use the configure command to set the security level. You can specify no security, authentication only,

or authentication and privacy.

• Use the snmpConfig command to configure the SNMP agent and traps for SNMPv3 or SNMPv1

configurations.

• If necessary for backward compatibility, you can use these legacy commands to configure for SNMP

v1:

•Use the agtCfgShow, agtCfgset, and agtCfgDefault commands to configure the SNMPv1

agent.

•Use the snmpMibCapSet command to filter at the trap level.

The SNMP trap configuration specifies the MIB trap elements to be used to send information to the SNMP management station. There are two main MIB trap choices:

• Brocade-specific MIB trap

Associated with the Brocade-specific MIB (SW-MIB), this MIB monitors Brocade (HP) switches specifically.

• FibreAlliance MIB trap

Associated with the FibreAlliance MIB (FA-MIB), this MIB manages SAN switches and devices from any company that complies with FibreAlliance specifications.

If you use both SW-MIB and FA-MIB, you may receive duplicate information. You can disable the FA-MIB, but not the SW-MIB.

You can also use these additional MIBs and their associated traps:

• FICON-MIB (for FICON environments)

• SW-EXTTRAP

Includes the swSsn (Software Serial Number) as a part of Brocade SW traps.

For information on Brocade MIBs, see the Fabric OS MIB Reference.

For information on the specific commands used in these procedures, see online help or the Fabric OS

Command Reference.

Setting the security level

Use the configure command to set the security level (called “SNMP attributes”). You can specify no security, authentication only, or authentication and privacy. For example, to configure for authentication and privacy:

Stealth200E:admin> configure

Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command.

Configure...

System services (yes, y, no, n): [no] ssl attributes (yes, y, no, n): [no] rpcd attributes (yes, y, no, n): [no] cfgload attributes (yes, y, no, n): [no] y

Enforce secure config Upload/Download (yes, y, no, n): [no] Enforce signature validation for firmware (yes, y, no, n): [no]

Fabric OS 6.x administrator guide 93

webtools attributes (yes, y, no, n): [no] System (yes, y, no, n): [no]

No changes.

Using the snmpConfig command

4. Use the snmpConfig --set command to change either the SNMPv3 or SNMPv1 configuration. You

can also change access control, MIB capability, and system group.

Sample SNMPv3 configuration

switch:admin> snmpconfig --set snmpv3

SNMPv3 user configuration: User (rw): [snmpadmin1] adminuser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 1 New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv(2)/3DES(3)/AES128(4)/AES192(5)/

AES256(6)]): (1..2) [2] 1 New Priv Passwd: Verify Priv Passwd: User (rw): [snmpadmin2] shauser Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] 2 New Auth Passwd: Verify Auth Passwd: Priv Protocol [DES(1)/noPriv[2]): (1..2) [2] 1 New Priv Passwd: Verify Priv Passwd: User (rw): [snmpadmin3] nosec Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (1..3) [3] Priv Protocol [DES(1)/noPriv[2]): (2..2) [2] User (ro): [snmpuser1] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (3..3) [3] Priv Protocol [DES(1)/noPriv[2]): (2..2) [2] User (ro): [snmpuser2] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (3..3) [3] Priv Protocol [DES(1)/noPriv[2]): (2..2) [2] User (ro): [snmpuser3] Auth Protocol [MD5(1)/SHA(2)/noAuth(3)]: (3..3) [3] Priv Protocol [DES(1)/noPriv[2]): (2..2) [2]

SNMPv3 trap recipient configuration: Trap Recipient's IP address in dot notation: [0.0.0.0] 192.168.45.90 UserIndex: (1..6) [1] Trap recipient Severity level : (0..5) [0] 4 Trap Recipient's IP address in dot notation: [0.0.0.0] 192.168.45.92 UserIndex: (1..6) [2] Trap recipient Severity level : (0..5) [0] 2 Trap Recipient's IP address in dot notation: [0.0.0.0] Trap Recipient's IP address in dot notation: [0.0.0.0] Trap Recipient's IP address in dot notation: [0.0.0.0] Trap Recipient's IP address in dot notation: [0.0.0.0] Committing configuration...done.

94 Configuring standard security features

Sample SNMPv1 configuration

switch:admin> snmpconfig --set snmpv1

SNMP community and trap recipient configuration: Community (rw): [Secret C0de] admin Trap Recipient's IP address in dot notation: [0.0.0.0] 10.32.225.1 Trap recipient Severity level : (0..5) [0] 1 Community (rw): [OrigEquipMfr] Trap Recipient's IP address in dot notation: [10.32.225.2] Trap recipient Severity level : (0..5) [1] Community (rw): [private] Trap Recipient's IP address in dot notation: [10.32.225.3] Trap recipient Severity level : (0..5) [2] Community (ro): [public] Trap Recipient's IP address in dot notation: [10.32.225.4] Trap recipient Severity level : (0..5) [3] Community (ro): [common] Trap Recipient's IP address in dot notation: [10.32.225.5] Trap recipient Severity level : (0..5) [4] Community (ro): [FibreChannel] Trap Recipient's IP address in dot notation: [10.32.225.6] Trap recipient Severity level : (0..5) [5] Committing configuration...done.

Sample accessControl configuration

switch:admin> snmpconfig --set accessControl

SNMP access list configuration: Access host subnet area in dot notation: [0.0.0.0] 192.168.0.0 Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.32.148.0 Read/Write? (true, t, false, f): [true] f Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] 10.33.0.0 Read/Write? (true, t, false, f): [true] f Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Access host subnet area in dot notation: [0.0.0.0] Read/Write? (true, t, false, f): [true] Committing configuration...done.

Sample mibCapability configuration

supp_dcx_218:admin> snmpconfig --show mibcapability

FE-MIB:YES SW-MIB: YES FA-MIB: YES FICON-MIB: YES HA-MIB: YES FCIP-MIB: YES ISCSI-MIB: NO SW-TRAP: YES swFCPortScn: YES swEventTrap: YES swFabricWatchTrap: YES swTrackChangesTrap: YES FA-TRAP: YES

Fabric OS 6.x administrator guide 95

connUnitStatusChange: YES connUnitEventTrap: YES connUnitSensorStatusChange: YES connUnitPortStatusChange: YES SW-EXTTRAP: NO FICON-TRAP: YES linkRNIDDeviceRegistration: YES linkRNIDDeviceDeRegistration: YES linkLIRRListenerAdded: YES linkLIRRListenerRemoved: YES linkRLIRFailureIncident: YES HA-TRAP: YES fruStatusChanged: YES cpStatusChanged: YES fruHistoryTrap: YES FCIP-TRAP: NO

Sample systemGroup configuration (default)

switch:admin> snmpconfig --default systemGroup ***** This command will reset the agent's system group configuration back to factory default ***** sysDescr = Fibre Channel Switch sysLocation = End User Premise sysContact = Field Support authTraps = 0 (OFF)

***** Are you sure? (yes, y, no, n): [no] y

Configuring secure file copy

You can use the configure command to specify that secure file copy (SCP) is used for configuration uploads and downloads.

For example:

switch:admin> configure

Not all options will be available on an enabled switch. To disable the switch, use the "switchDisable" command.

Configure...

System services (yes, y, no, n): [no] n ssl attributes (yes, y, no, n): [no] n http attributes (yes, y, no, n): [no] n snmp attributes (yes, y, no, n): [no] n rpcd attributes (yes, y, no, n): [no] n cfgload attributes (yes, y, no, n): [no] y

Enforce secure config Upload/Download (yes, y, no, n): [no] Enforce signature validation for firmware (yes, y, no, n): [no]switch:admin>

96 Configuring standard security features

4 Configuring advanced security features

This chapter provides information and procedures for configuring advanced Fabric OS security features such as Access Control List (ACL) policies, authentication policies, and IP Filtering for HP’s Fibre Channel switches.

NOTE: Run all commands, with the suggested role, in this chapter by logging in to Administrative Domain

(AD) 255 or, if Administrative Domains have not been implemented, log in to AD 0.

About access control list (ACL) policies

Fabric OS provides the following policies:

• Fabric Configuration Server (FCS) policy—Used to restrict which switches can change the

configuration of the fabric.

• Device Connection Control (DCC) policies—Used to restrict which Fibre Channel device ports can

connect to which Fibre Channel switch ports.

• Switch Connection Control (SCC) policy—Used to restrict which switches can join with a switch.

• IP Filter Policy (IPFilter) policy—Used to filter traffic based on IP addresses.

Each supported policy is identified by a specific name, and only one policy of each type can exist (except for DCC policies). Policy names are case-sensitive and must be entered in all uppercase.

How the ACL policies are stored

The policies are stored in a local database. The database contains the ACL policies types of FCS, DCC, SCC, and IPFilter. The number of policies that may be defined is limited by the size of the database. FCS, SCC and DCC policies are all stored in the same database.

When a Fabric OS 6.0 switch joins the fabric containing only pre-6.0 switches, the policy database size limit is restricted to the Fabric OS version’s lowest database size. Table 23 shows the Fabric OS version and its associated database size restriction. Distribution of any of the given policies to pre-6.0 switches would fail if the size of the database being distributed is greater than the lowest database size in the fabric. In a fabric with only Fabric OS 6.0 switches present, the limit for security policy database size would be set to 1Mb. In this case, the pre-6.0 switches cannot join the fabric if the fabric security database size is greater than their Fabric OS database size.

Table 23 Security database size restrictions

Fabric OS version Security database size

4.4 256K

5.1/5.2/5.3 256K

6.0 1Mb

The policies are grouped by state and type. A policy can be in either of the following states:

• Active—The policy is being enforced by the switch.

• Defined—The policy has been set up but is not enforced.

A group of policies is called a Policy Set. Each switch has the following two sets:

• Active policy set—Contains ACL policies being enforced by the switch.

• Defined policy set—Contains a copy of all ACL policies on the switch.

When a policy is activated, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy. If a policy appears in the defined set but not in the active set, the policy was saved but has not been activated. If a policy with the same name appears in both the defined

Fabric OS 6.x administrator guide 99

and active sets but they have different values, then the policy has been modified but the changes have not been activated.

Admin Domain considerations: ACL management can be done on AD255 and in AD0 only if other there are no user-defined Admin Domains. Both AD0 (when no other user-defined Admin Domains exist) and AD255 provide an unfiltered view of the fabric.

Identifying policy members

Specify the FCS, DCC and SCC policy members by device port WWN, switch WWN, Domain IDs, or switch names, depending on the policy. The valid methods for specifying policy members are listed in

Table 24.

Table 24 Valid methods for specifying policy members

Policy name Device port

FCS _ POL ICY No Yes Yes Yes

DCC_POLICY_nnn Ye s Yes Yes Yes

SCC_POLICY N o Yes Yes Yes

Configuring ACL policies

All policy modifications are saved in volatile memory until those changes are saved or activated. You can create multiple sessions to the switch from one or more hosts. It is recommended to make changes from one switch only to avoid having multiple transactions from occurring.

The FCS, SCC and DCC policies in Secure Fabric OS are not interchangeable with Fabric OS FCS, SCC and DCC policies. Uploading and saving a copy of the Fabric OS configuration after creating policies is strongly recommended. Use the configUpload command to upload a copy of the configuration file. For more information on how to use this command, see the ”Maintaining Configurations” on page 131.

NOTE: All changes, including the creation of new policies, are saved and activated on the local switch

only—unless the switch is in a fabric that has a strict or tolerant fabric-wide consistency policy for the ACL policy type for SCC or DCC. See ”Distributing the policy database” on page 121 for more information on the database settings and fabric-wide consistency policy.

WWN

Switch WWN

Domain ID Switch

name

Use the instructions in the following sections to manage common settings between two or more of the DCC, FCS, and SCC policies. For instructions relating to a specific policy, refer to the appropriate section.

• ”Displaying ACL policies” on page 101

Displays a list of all active and defined ACL policies on the switch.

• ”Saving changes to ACL policies” on page 108

Save changes to memory without actually implementing the changes within the fabric or to the switch. This saved but inactive information is known as the “defined policy set.”

• ”Activating changes to ACL policies” on page 108

Simultaneously save and implement all the policy changes made since the last time changes were activated. The activated policies are known as the “active policy set.”

• ”Adding a member to an existing policy” on page 108

Add one or more members to a policy. The aspect of the fabric covered by each policy is closed to access by all devices and switches that are not listed in that policy.

• ”Removing a member from an ACL policy” on page 109

Remove one or more members from a policy. If all members are removed from a policy, that aspect of the fabric becomes closed to all access.

• ”Deleting an ACL policy” on page 109

Delete an entire policy; deleting a policy opens up that aspect of the fabric to all access.

100 Configuring advanced security features

Hp StorageWorks Fabric OS 6.x administrator guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Supported Fabric OS 6.x HP StorageWorks hardware

Table 1 Switch model naming matrix

Intended audience

Related documentation

Document conventions and symbols

Table 2 Document conventions

Rack stability

HP technical support

Customer self repair

Product warranties

Subscription service

HP websites

Documentation feedback

1 Standard features

Overview

Using the CLI

Connecting to the CLI

Using Telnet or SSH session

Using a console session on the serial port

Changing passwords

Table 3 Default administrative account names and passwords

Changing default account passwords at login

Configuring the Ethernet interface

Displaying the network interface settings

Setting static Ethernet addresses

Configuring DHCP

Enabling DHCP

Disabling DHCP

Setting the date and time

Setting time zones

Synchronizing local time using NTP

Customizing switch names

Working with Domain IDs

Licensed features

Generating a license key

Activating a license key

Removing a licensed feature

Features and required licenses

Table 4 License requirements

Inter-Chassis Link (ICL) licensing

Time-based licenses

High Availability considerations

Firmware upgrade and downgrade consideration

Configupload and Configdownload considerations

Expired licenses

Ports on Demand (POD) licensing

Activating POD

Configuring Dynamic Ports on Demand

How ports are assigned to licenses

Displaying the port license assignment

Activating Dynamic Ports on Demand

Disabling Dynamic Ports on Demand

Managing POD licenses

Reserving a license

Releasing a port

Disabling and enabling switches

Disabling and enabling ports

Making basic connections

Connecting to devices

Connecting to other switches

Linking through a gateway

Checking status

Tracking and controlling switch changes

Configuring the audit log

Auditable event classes

Table 5 AuditCfg event class operands

Shutting down switches and Directors

High Availability of daemon processes

Table 6 Daemons that are automatically restarted

2 Managing user accounts

Overview

Accessing the management channel

Table 7 Maximum number of simultaneous sessions

Using Role-Based Access Control (RBAC)

Table 8 Fabric OS 6.x roles